[VIM] Clarification/dispute (or not) on Sep 2005 FreeRADIUS issues

Steven M. Christey coley at mitre.org
Tue Mar 28 02:46:57 EST 2006 

Various VDBs reported some FreeRADIUS issues, possibly stemming from a
public Red Hat bug report in September 2005, which highlighted some
details of an original SuSE bug report:

  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167676

The original SUSE report was not public, near as I can tell.

Relevant references for Red Hat's bug report include BID:14775,
SECUNIA:16712, and various X-Force references including
XF:freeradius-token-sqlunixodbc-dos(22211).

FreeRADIUS also posted a point-by-point dispute of SuSE's extensive
findings, here:

 http://www.freeradius.org/security/20050909-response-to-suse.txt

While multiple "bugs" were acknowledged, most of them were not
"externally exploitable" in FreeRADIUS' terminology, which (with other
comments in the dispute) I interpreted as meaning that the bugs were
only exploitable by the FreeRADIUS admin - and thus did not seem to
cross security boundaries.  I'm not 100% convinced that the LDAP issue
falls under this category (wildcards are rarely mentioned as attack
vectors in LDAP related issues), but there's only so much to process
at once.

The conflicting reports from SUSE and FreeRADIUS resulted in what CVE
calls a "delay complex" action, which shouldn't last more than a day
or two but sometimes does, especially when even the editor doesn't
know what to do :)

Anyway, here it is 6 months later and I've been prompted to address
the question, at least for CVE.  Since the FreeRADIUS dispute seemed
to be the last public commentary on the issue (or issues), I used that
as the authoritative document.  Trying to read between the lines of
FreeRADIUS' dispute, it seems that only one aspect of SUSE's original
report is agreed to by FreeRADIUS, an off-by-one error in the
sql_error function in sql_unixodbc.c, which is still apparently
dependent on other environmental factors.  I wrote up a CVE
accordingly.

In the midst of all this, the FreeRADIUS web site also reported some
issues that it treated as vulnerabilities, but they were originally
reported by Primoz Bratanic, not SUSE.  Reading between the lines
again, the core issues seem to involve SQL injection and a buffer
overflow in the rlm_sqlcounter module:

  http://www.freeradius.org/security.html

  "2005.09.09 v1.0.3, v1.0.4 - Multiple issues exist with version
  1.0.4, and all prior versions of the server. Externally exploitable
  vulnerabilities exist only for sites that use the rlm_sqlcounter
  module. Those sites may be vulnerable to SQL injection attacks,
  similar to the issues noted below. All sites that have not deployed
  the rlm_sqlcounter module are not vulnerable to external
  exploits. However, we still recommend that all sites upgrade to
  version 1.0.5.

  The issues are:

  * SQL Injection attack in the rlm_sqlcounter module.

  * Buffer overflow in the rlm_sqlcounter module, that may cause a
    server crash.

  * Buffer overflow while expanding %t, that may cause a server crash.

  These issues were found by Primoz Bratanic. As the rlm_sqlcounter
  module is marked "experimental" in the server source, it is not
  enabled or configured in most sites. As a result, we believe that
  the number of vulnerable sites is low.

Attack vectors or affected components for the "%t" issue were not
clear according to this text.

Based on all this, I chose to create 3 separate CVE identifiers as you
see below, but needless to say my confidence in their accuracy is
sub-par.

- Steve


======================================================
Name: CVE-2005-4744
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4744
Acknowledged: yes advisory
Announced: 20050909
Flaw: other
Reference: CONFIRM:http://www.freeradius.org/security/20050909-response-to-suse.txt
Reference: MISC:http://www.freeradius.org/security/20050909-vendor-sec.txt
Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167676
Reference: BID:14775
Reference: URL:http://www.securityfocus.com/bid/14775
Reference: SECUNIA:16712
Reference: URL:http://secunia.com/advisories/16712
Reference: XF:freeradius-token-sqlunixodbc-dos(22211)
Reference: URL:http://xforce.iss.net/xforce/xfdb/22211

Off-by-one error in the sql_error function in sql_unixodbc.c in
FreeRADIUS 1.0.2.5-5, and possibly other versions including 1.0.4,
might allow remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code by causing the external database query
to fail.  NOTE: this single issue is part of a larger-scale
disclosure, originally by SUSE, which reported multiple issues that
were disputed by FreeRADIUS.  Disputed issues included file descriptor
leaks, memory disclosure, LDAP injection, and other issues.  Without
additional information, the most recent FreeRADIUS report is being
regarded as the authoritative source for this CVE identifier.


Analysis:
ACCURACY: the FreeRADIUS dispute to the original SUSE post contains
point-by-point rebuttals of many of SUSE's original claims, but it
does not explicitly acknowledge some individual issues.  Therefore
this CVE identifier is a "best guess" (as of 20060327) regarding the
best available information.


======================================================
Name: CVE-2005-4745
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4745
Acknowledged: yes changelog
Announced: 20050909
Flaw: sql-inject
Reference: CONFIRM:http://www.freeradius.org/security.html
Reference: OSVDB:19323
Reference: URL:http://www.osvdb.org/19323

SQL injection vulnerability in the rlm_sqlcounter module in FreeRADIUS
1.0.3 and 1.0.4 allows remote attackers to execute arbitrary SQL
commands via unknown attack vectors.


Analysis:
ACKNOWLEDGEMENT: vendor security page says "2005.09.09 v1.0.3, v1.0.4
- Multiple issues exist with version 1.0.4, and all prior versions of
the server. Externally exploitable vulnerabilities exist only for
sites that use the rlm_sqlcounter module. Those sites may be
vulnerable to SQL injection attacks, similar to the issues noted
below...  SQL Injection attack in the rlm_sqlcounter module."


======================================================
Name: CVE-2005-4746
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4746
Acknowledged: yes changelog
Announced: 20050909
Flaw: buf
Reference: CONFIRM:http://www.freeradius.org/security.html
Reference: OSVDB:19324
Reference: URL:http://www.osvdb.org/19324
Reference: OSVDB:19325
Reference: URL:http://www.osvdb.org/19325

Multiple buffer overflows in FreeRADIUS 1.0.3 and 1.0.4 allow remote
attackers to cause denial of service (crash) via (1) the
rlm_sqlcounter module or (2) unknown vectors "while expanding %t".


Analysis:

ACKNOWLEDGEMENT: vendor security page says "2005.09.09 v1.0.3, v1.0.4
- Multiple issues exist with version 1.0.4, and all prior versions of
the server. Externally exploitable vulnerabilities exist only for
sites that use the rlm_sqlcounter module...  Buffer overflow in the
rlm_sqlcounter module, that may cause a server crash.  Buffer overflow
while expanding %t, that may cause a server crash."

More information about the VIM mailing list