Bugzilla – Bug 935573
VUL-1: CVE-2015-4680: freeradius, freeradius-server: insufficent CRL application for intermediate certificates
Last modified: 2020-07-27 14:14:45 UTC
http://www.ocert.org/advisories/ocert-2015-008.html http://seclists.org/oss-sec/2015/q2/776 #2015-008 FreeRADIUS insufficent CRL application Description: The FreeRADIUS server is an open source project that provides a RADIUS implementation. The FreeRADIUS server relies on OpenSSL to perform certificate validation, including Certificate Revocation List (CRL) checks. The FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to leaf certificates, therefore not detecting revocation of intermediate CA certificates. An unexpired client certificate, issued by an intermediate CA with a revoked certificate, is therefore accepted by FreeRADIUS. Specifically sets the X509_V_FLAG_CRL_CHECK flag for leaf certificate CRL checks, but does not use X509_V_FLAG_CRL_CHECK_ALL for CRL checks on the complete trust chain. The FreeRADIUS project advises that the recommended configuration is to use self-signed CAs for all EAP-TLS methods. Affected version: FreeRADIUS <= 2.2.7, <= 3.0.8 Fixed version: FreeRADIUS >= 2.2.8, >= 3.0.9 Credit: vulnerability anonymously reported. CVE: CVE-2015-4680 Timeline: 2015-06-17: vulnerability report received 2015-06-18: contacted FreeRADIUS security maintainer 2015-06-18: patch provided by maintainer 2015-06-19: assigned CVE 2015-06-22: advisory release References: https://github.com/FreeRADIUS/freeradius-server/blob/b28326004379260ca2fe7b8884f813d90a741197/src/main/tls.c#L2111 https://github.com/FreeRADIUS/freeradius-server/blob/b28326004379260ca2fe7b8884f813d90a741197/src/main/tls.c#L2595 http://freeradius.org/security.html Permalink: http://www.ocert.org/advisories/ocert-2015-008.html
bugbot adjusting priority
No. We need to keep that open for tracking. If other issues appear in freeradius for SLE11/12, they will be combined with this one.
SUSE-SU-2017:0102-1: An update that solves one vulnerability and has three fixes is now available. Category: security (important) Bug References: 1013311,911886,935573,951404 CVE References: CVE-2015-4680 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): freeradius-server-3.0.3-14.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): freeradius-server-3.0.3-14.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): freeradius-server-3.0.3-14.1 SUSE Linux Enterprise Server 12-SP2 (src): freeradius-server-3.0.3-14.1 SUSE Linux Enterprise Server 12-SP1 (src): freeradius-server-3.0.3-14.1
Adam, does the issue also affect freeradius-server on SLE11? If yes, then it is still missing there.
(In reply to Marcus Meissner from comment #12) > Adam, does the issue also affect freeradius-server on SLE11? If yes, then it > is still missing there. SLE11 seems to be missing fix for some reason. I'll resubmit.
SUSE-SU-2017:1777-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1041445,912873,935573 CVE References: CVE-2015-4680,CVE-2017-9148 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): freeradius-server-2.1.1-7.24.1 SUSE Linux Enterprise Server 11-SP4 (src): freeradius-server-2.1.1-7.24.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): freeradius-server-2.1.1-7.24.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-08-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63803
All codestreams should have either submitted fix or fix has been released. Reassining back to security team.
released