Vendor statement re: CVE-2007-0080

Alan DeKok aland at freeradius.org
Mon Jan 29 11:54:49 CET 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  CVE-2007-0080 was recently brought to our attention.  Please find our
official response below.

  In short, the response of 3APA3A is correct.
(i.e. http://www.securityfocus.com/archive/1/455812/100/0/threaded)

  We believe that the correct CVSS base score metrics are as follows:

http://nvd.nist.gov/cvss.cfm?name=CVE-2007-0080&vector=(AV:L/AC:L/Au:R/C:N/I:N/A:N/B:N)

  The issue is NOT remotely exploitable.  The attack complexity is low
(editing a configuration file).  Only authenticated administrators on
the local machine can cause this issue.  There is no confidentiality
impact, as the administrator already has complete access to the local
system.  There is no integrity or availability impact, because
exploiting the issue is done by the local administrator who runs code he
is permitted to run, with a privilege level he is permitted to use.

  Please update the CVE listing with the above CVSS base score.

  For publication on the web site, our official statement is:

- -- Official Vendor Statement from the FreeRADIUS Server project

This issue is not a security  vulnerability.  The exploit is available
only to local administrators who have write access to the server
configuration files.  As such, this issue has no security impact on any
system running FreeRADIUS.

- -- Official Vendor Statement from the FreeRADIUS Server project

  Please also update the Overview, with the following suggested text:

- -- Overview

A buffer overflow in the SMB_Connect_Server function in FreeRADIUS 1.1.4
and earlier allows attackers to execute arbitrary code related to the
server desthost field of an SMB_Handle_Type instance.  This issue can
not be exploited remotely, and can only be exploited by administrators
who have write access to the server configuration files.

- -- Overview


  As additional information, the originator of the issue did not contact
us for an official vendor statement, and did not respond to our attempts
to discuss this issue.  Our security contact is clearly available on the
web site (http://freeradius.org/security.html), and includes a PGP key
for authentication confidentiality.  We suggest anyone who believes they
find an issue in FreeRADIUS contact us before making the issue public.

  Alan DeKok
  Project Leader
  The FreeRADIUS Server Project
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRb3Seakul4vkAkl9AQLH2gP/Uvi+92B5me9E/nq6tlG58RrlNfsQoRHG
E6Kilk/9CACjOHRLk02dLo9eVN9kZYCZ8eOL8ki9Mfx7hRfFFWPmrWQ41w71wegO
n85oOooXdH5O8gu/5siu3RlsBkHKfNo72ywMz8xJGbKHUlDcFhoZWNqZOGVIjDW6
TH/oa8nmnYo=
=/Jg6
-----END PGP SIGNATURE-----

More information about the Freeradius-Devel mailing list