Bugzilla – Bug 961479
VUL-1: CVE-2015-8763: freeradius-server: message payload length not validated in EAP-PWD
Last modified: 2017-08-15 11:42:40 UTC
CVE-2015-8763 From http://freeradius.org/security.html The EAP-PWD module performed insufficient validation on packets received from an EAP peer. This module is not enabled in the default configuration. Administrators must manually enable it for their server to be vulnerable. Only versions 3.0 up to 3.0.8 are affected. These issues were found by Jouni Malinen as part of investigating 2015-4 for HostAP. - The EAP-PWD packet length is not checked before the first byte is dereferenced. A zero-length EAP-PWD packet will cause the module to dereference a NULL pointer, and will cause the server to crash. - The commit message payload length is not validated before the packet is decoded. This can result in a read overflow in the server. - The confirm message payload length is not validated before the packet is decoded. This can result in a read overflow in the server. - A strcpy() was used to pack a C string into an EAP-PWD packet. This would result in an over-run of the destination buffer by one byte. >=SLE 12 affected. Low/VUL-1 because of non default configuration. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8763 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8763.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8763
Has multiple CVEs assigned: CVE-2015-8764 for "A strcpy() was used to pack a C string into an EAP-PWD packet. This would result in an over-run of the destination buffer by one byte." CVE-2015-8762 for "The EAP-PWD packet length is not checked before the first byte is dereferenced. A zero-length EAP-PWD packet will cause the module to dereference a NULL pointer, and will cause the server to crash." CVE-2015-8763 for "The confirm message payload length is not validated before the packet is decoded. This can result in a read overflow in the server."
bugbot adjusting priority
fixed