Discarding new rquests and CPU eats 99.9%

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Fri Nov 10 21:23:55 CET 2006

> =?iso-8859-9?Q?Cihan_DEM=DDR?= <cihan.demir at omsan.com.tr> wrote:
> > We're using 0.9.3 version on RedHat.
> ...
> > Any comment? Thanks in advance.
>   Upgrade.

and to back Alan up, you really should upgrade:

# 2006.03.20 v1.0.5, and v1.1.0 - A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. We recommend that administrators upgrade immediately.

# 2005.09.09 v1.0.3, v1.0.4 - Multiple issues exist with version 1.0.4, and all prior versions of the server. Externally exploitable vulnerabilities exist only for sites that use the rlm_sqlcounter module. Those sites may be vulnerable to SQL injection attacks, similar to the issues noted below. All sites that have not deployed the rlm_sqlcounter module are not vulnerable to external exploits. However, we still recommend that all sites upgrade to version 1.0.5.

The issues are:

    * SQL Injection attack in the rlm_sqlcounter module.
    * Buffer overflow in the rlm_sqlcounter module, that may cause a server crash.
    * Buffer overflow while expanding %t, that may cause a server crash.

These issues were found by Primoz Bratanic. As the rlm_sqlcounter module is marked "experimental" in the server source, it is not enabled or configured in most sites. As a result, we believe that the number of vulnerable sites is low.

Additional issues, not externally exploitable, were found by Suse. A full response to their report is available here. A related post to the vendor-sec mailing list is found here.

# 2005.05.01 v1.0.1, v1.0.2 - Two vulnerabilities in the SQL module exist in all versions prior to 1.0.3. Sites not using the SQL module are not affected by this issue. However, we still recommend that all sites upgrade to version 1.0.3.

The issues are:

    * Buffer overflow - A long string could overflow an internal buffer in the SQL module, and write two bytes of text [0-9a-f] past the end of the buffer. The server may exit when this happens, resulting in a DoS attack. Depending on the local configuration of the server, this may occur before a user is authenticated. This vulnerability is externally exploitable, but can not result in the execution of arbitrary code.
    * SQL injection attacks - The SQL module suffers from SQL injection attacks in the group_membership_query, simul_count_query, and simul_verify_query configuration entries. The first query is exploitable if your site is configured to use the SQL-Group attribute in any module in the authorize section of radiusd.conf. The last two queries are exploitable only if your site has user names that contain a single quote character (').

# 2004.09.14 v1.0.0 - Multiple external DoS attacks exist in the server. These are related to the attacks below, in 0.9.2, but were not caught then. The vulnerabilities are fixed in 1.0.1, and in all later versions of the server. The vulnerabilities are not exploitable, but can be used to remotely crash the server.

# 2003.11.20 v0.9.3 - There is an externally exploitable root compromise in rlm_smb, through a stack overflow when a password greater than 128 bytes referenced by the module. The module is not built or installed by default, so we have not released a 0.9.4. This vulnerability is fixed in the CVS snapshots, and will be included in any later release of the server. 

- PS i know redhat have done backporting of various fixes - but we have no idea exactly which backports and since
the resulting '0.9.3' code is different to the native 0.9.3 code, any bugs may well be because of the Redhat changes


More information about the Freeradius-Users mailing list