#VU70506 Input validation error in FreeRADIUS - CVE-2022-41861

Cybersecurity Help s.r.o.

Published: 2022-12-27

Vulnerability identifier: #VU70506

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-41861

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FreeRADIUS
Server applications / Directory software, identity management

Vendor: FreeRADIUS Server Project

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A malicious RADIUS client or home server can send a malformed abinary attribute, which can cause the server to crash.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FreeRADIUS: 0.1 - 4.0.0

External links
https://freeradius.org/security/
https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for freeradius:3.0 module

Red Hat Enterprise Linux 8 update for the freeradius:3.0 module

Red Hat Enterprise Linux 9 update for freeradius

Multiple vulnerabilities in Oracle Linux

SUSE update for freeradius-server

openEuler 22.03 LTS SP1 update for freeradius

Ubuntu update for freeradius

openEuler update for freeradius

SUSE update for freeradius-server