[VIM] FreeRADIUS mess + drama

security curmudgeon jericho at attrition.org
Tue Sep 13 04:27:47 EDT 2005

Little drama between the FreeRADIUS team and SuSE:

This is the real interesting post. Quoting relevant parts that may be of 
interest to us, as they directly relate to vulnerability reports and the 
headaches we suffer as a result.



The version audited was  Version 1.0.4 has been out for
almost two months now, and would have been a better choice for


   By our analysis, the issues Suse raises may be grouped into the
following categories:

   (a) low-impact, non-exploitable externally accessible issues
5.1 (1) ldap escaping

   (b) low-impact non-exploitable, non-externally accessible issues.
5.4 sql_unixodbc memory allocation error

   (c) issues exploitable by the RADIUS server administrator
5.9 (1) max_fd
5.11 (2) vradlog, line 135
5.11 (3) vradlog, line 150
5.15 (1) max_fd
5.15 (3) MAX_ENVP not checked

   (d) Misunderstandings or misreading of the source:
5.1 (2) unavailable LDAP blocking the server
5.3 (1) sql_escape_func
5.3 (2) rlm_sql_authorize, line 747
5.7 (1) check_for_realm, line 209
5.7 (2) check_for_realm, line 210
5.9 (2) arguments to checkrad
5.11 (1) vradlog, line 133
5.12 (1) rad_auth_log
5.12 (2) rad_authenticate line 678
5.13 (2) rad_decode()
5.13 (3) rad_pwdecode()
5.13 (4) rad_tunnel_pwdecode()
5.14 (2) DNS escaping for SQL
5.15 (2) escaping command-line options

   Out of 21 reported issues, 14 are not real.  A false-positive rate
of 67% is indicates serious issues with the analysis methods.


   We have concerns with a message Suse sent to the vendor-sec mailing
list.  Our response is here:


   Shortly after our response, RedHat posted a message on Bugtraq,
which led to the following vulnerability listing on Security Focus:


   The comments under "discuss" say:


The first issues are memory handling vulnerabilities. These
issues may allow remote attackers to crash affected services,
or possibly execute arbitrary machine code in the context of
the vulnerable application.

FreeRADIUS is also affected by a possible file descriptor
leak. This may be exploited to gain access to files that an attacker
may not normally have access to.

   Based on our analysis, both of these comments are, quite simply,
false.  For the issues found by Suse, there is no possible external
exploit vector that crashes the system or allows execution of
arbitrary machine code.

More information about the VIM mailing list