On Jun 22, 2015, at 3:57 PM, Alan DeKok <aland@deployingradius.com> wrote:
We had a CVE issued today: http://www.ocert.org/advisories/ocert-2015-008.html
OpenSSL doesn't check intermediate CAs for expiry when setting the "check CRL" flag. You need to set another flag saying "I really mean check ALL of the CRLs". FreeRADIUS didn't set that flag.
The impact for 99% of people is nothing. In order to be vulnerable, you have to have all of the following in the configuration:
1) the RADIUS system has to use a public CA
2) use an intermediate CA to issue client certificates
3) enable EAP-TLS
Most people don't have EAP-TLS enabled. A small number of people might be using an intermediate CA. A vanishingly small number of people will be using a public CA for RADIUS.
Using a public CA is a *terrible* idea. We have been recommending against it for years.
The problem got a CERT advisory issued because technically it is a security bug, and the original person who reporting it didn't want to contact security@freeradius.org.
We'll get 2.2.8 and 3.0.9 out soon. In the mean time, most people can ignore this issue.
Just to clarify. This will likely only effect you if you got an intermediary CA from a public CA, then used that to sign certificates that you distributed to your clients. You should generally never do this. -Arran