Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0063
Insufficent CRL application vulnerability in FreeRADIUS
23 June 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FreeRADIUS
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-4680
Member content until: Thursday, July 23 2015
OVERVIEW
A vulnerability has been identified in FreeRADIUS server prior to
versions 2.2.8 and 3.0.9. [1]
IMPACT
The following details have been provided regarding the
vulnerability:
CVE-2015-4680: "The FreeRADIUS server relies on OpenSSL to perform
certificate validation, including Certificate Revocation List (CRL)
checks. The FreeRADIUS usage of OpenSSL, in CRL application, limits
the checks to leaf certificates, therefore not detecting revocation
of intermediate CA certificates.
An unexpired client certificate, issued by an intermediate CA with a
revoked certificate, is therefore accepted by FreeRADIUS." [1]
MITIGATION
Users are advised to upgrade to the latest versions to correct this
issue.
Users are also advised the recommended configuration is to use
self-signed CAs for all EAP-TLS methods. [1]
REFERENCES
[1] FreeRADIUS insufficent CRL application
http://www.ocert.org/advisories/ocert-2015-008.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVYi75X6ZAP0PgtI9AQKA9xAAxlnyd/afeI780e3ew4Eu7S74LU34DQL1
zYVL1Jes7tBpVEyRjIp/DcKiStqFnsceZlcrl2C2Rhlql3UWys8qx5D7kAiEoccX
2ln5pzlwyqDdRjtcana/euMZ02NiGmq1sBmYc9aZoys7v7KUO9xND4P74W1Jj1PE
6kI+AjJrnXfa9k/13e/TyryUY4a0kb946DpY2iIV8b6zar6M7gkImS3dn3XgAAKi
pIqSaswy9jo1tXsCmeZFSyJiAW27t045PO0tdk8xoRfl93/BDqH8WqAMGq9ixIU2
7oM7/xNUPn+aZvQa57Mg2BZdCks2Psli9jHsQBQn882uFNRKqltbykTm60CkD9yB
7mOfjMwPK+CjIKdhuCUsGkOl2YvkQYlLkP8wm4oTQB/PCjyRxImbOGUcfbVNDQ6k
FcC71//mMCyduTXe2auFhjKLHUnvzU43SVEtQg3h09WoAKPsl1EmrAtRhM/3zAR3
aa6cTjfJDtsX5QuoARWDZMyiRTNsBZkAq+fIoJbvyVSkn0PFGgH+knQadC6qbyX8
FIP6bsP9aKqI+Dee0PrqdK3+idiH85E+XrUdduJUOMLj3OClj5AA8F386w4++TJ0
elfHHZzojmP6IjOjsmYZG7xlV6QhxVXr44Hd/ohI09AUPD5I3UZo4xbyOnaZ+L42
/gMJ6lcsXS4=
=US0H
-----END PGP SIGNATURE-----