Vulnerability Bulletins

int(2293)

Vulnerability Bulletins

Denegación de servicio en FreeRadius
Vulnerability classification
Property	Value
Confidence level	Oficial
Impact	Denegación de Servicio
Dificulty	Experto
Required attacker level	Acceso remoto con cuenta
System information
Property	Value
Affected manufacturer	GNU/Linux
Affected software	FreeRADIUS <= 1.0.4
Description
Se ha descubierto una vulnerabilidad en FreeRADIUS 1.0.4 y posiblemente versiones anteriores. La vulnerabilidad reside en un fallo de programación en la función "sql_error" del fichero "sql_unixodbc.c". Un atacante remoto podría causar una denegación de servicio o ejecutar código arbitrario si es capaz de manipular la base de datos SQL a la que FreeRadius conecta.
Solution
Actualización de software Red Hat Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) https://rhn.redhat.com/ Mandriva Mandrivalinux 2006 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/freeradius-1.0.4-2.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/libfreeradius1-1.0.4-2.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/libfreeradius1-devel-1.0.4-2.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/libfreeradius1-krb5-1.0.4-2.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/libfreeradius1-ldap-1.0.4-2.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/libfreeradius1-mysql-1.0.4-2.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/libfreeradius1-postgresql-1.0.4-2.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/libfreeradius1-unixODBC-1.0.4-2.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/SRPMS/freeradius-1.0.4-2.2.20060mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/freeradius-1.0.4-2.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64freeradius1-1.0.4-2.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64freeradius1-devel-1.0.4-2.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64freeradius1-krb5-1.0.4-2.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64freeradius1-ldap-1.0.4-2.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64freeradius1-mysql-1.0.4-2.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64freeradius1-postgresql-1.0.4-2.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64freeradius1-unixODBC-1.0.4-2.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/SRPMS/freeradius-1.0.4-2.2.20060mdk.src.rpm SGI Advanced Linux Environment 3 / RPM / Patch 10302 ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS Advanced Linux Environment 3 / SRPM / Patch 10302 ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS Debian Debian Linux 3.1 Source http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1.dsc http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1.diff.gz http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2.orig.tar.gz Architecture independent http://security.debian.org/pool/updates/main/f/freeradius/freeradius-dialupadmin_1.0.2-4sarge1_all.deb Alpha http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_alpha.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_alpha.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_alpha.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_alpha.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_alpha.deb AMD64 http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_amd64.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_amd64.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_amd64.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_amd64.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_amd64.deb ARM http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_arm.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_arm.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_arm.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_arm.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_arm.deb Intel IA-32 http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_i386.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_i386.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_i386.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_i386.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_i386.deb Intel IA-64 http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_ia64.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_ia64.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_ia64.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_ia64.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_ia64.deb HP Precision http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_hppa.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_hppa.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_hppa.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_hppa.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_m68k.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_m68k.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_m68k.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_m68k.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_m68k.deb Big endian MIPS http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_mips.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_mips.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_mips.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_mips.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_mips.deb Little endian MIPS http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_mipsel.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_mipsel.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_mipsel.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_mipsel.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_mipsel.deb PowerPC http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_powerpc.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_powerpc.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_powerpc.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_powerpc.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_powerpc.deb IBM S/390 http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_s390.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_s390.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_s390.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_s390.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_s390.deb Sun Sparc http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_sparc.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_sparc.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_sparc.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_sparc.deb http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_sparc.deb
Standar resources
Property	Value
CVE	CVE-2005-4744
BID	14775
Other resources
Red Hat Security Advisory (RHSA-2006:0271-12) https://rhn.redhat.com/errata/RHSA-2006-0271.html Mandriva Security Advisory (MDKSA-2006:066) http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:066 SGI Security Advisory (20060404-01-U) ftp://patches.sgi.com/support/free/security/advisories/20060404-01-U.asc Debian Security Advisory (DSA 1089-1) http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00175.html

Version history
Version	Comments	Date
1.0	Aviso emitido	2006-04-04
1.1	Aviso emitido por Mandriva (MDKSA-2006:066)	2006-04-06
1.2	Aviso actualizado por Red Hat (RHSA-2006:0271-12)	2006-04-13
1.3	Aviso emitido por SGI (20060404-01-U)	2006-04-27
1.4	Aviso emitido por Debian (DSA 1089-1)	2006-06-06

Vulnerability Bulletins

Denegación de servicio en FreeRadius

Vulnerability classification

System information

Description

Solution

Standar resources

Other resources

Version history