#VU7560 Out-of-bounds read in FreeRADIUS - CVE-2017-10986

Cybersecurity Help s.r.o.

Published: 2017-07-18

Vulnerability identifier: #VU7560

Vulnerability risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-10986

CWE-ID: CWE-125

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
FreeRADIUS
Server applications / Directory software, identity management

Vendor: FreeRADIUS Server Project

Description
The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to infinite out-of-bounds read in dhcp_attr2vp() function when decoding string options in an array. A remote attacker can send a specially crafted DHCP packet to vulnerable radius server and crash the affected application.

Mitigation
Update to version 3.0.15.

Vulnerable software versions

FreeRADIUS: 3.0.0 - 3.0.14

External links
https://freeradius.org/security/fuzzer-2017.html#FR-GV-303

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for freeradius-server

SUSE Linux update for freeradius-server

Debian update for freeradius

Ubuntu update for FreeRADIUS

Fedora 25 update for freeradius

Fedora 26 update for freeradius

Multiple vulnerabilities in FreeRADIUS