-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DFN-CERT Services GmbH - Security Advisory ========================================== * Advisory: DSB-2011-01 * Version: 1.0 * Released on: 2011-07-22 * Updated on: 2011-07-22 * Product: FreeRADIUS 2.1.11 (2011-06-29) Summary - ------- FreeRADIUS is a RADIUS server software which supports many authentication protocols. One of those protocols is EAP-TLS used within 802.1X. In EAP-TLS X.509 client certificates are used to authenticate remote users/clients. FreeRADIUS supports several methods for checking the revocation status of X.509 certificates. Recently support for revocation status checking with the Online Certificate Status Protocol (OCSP) was added to FreeRADIUS. During a test of the OCSP support in FreeRADIUS, a security vulnerability has been found in the way the FreeRADIUS code parses the replies from an OCSP responder. This allows a remote attacker to use a revoked certificate from an otherwise trusted certification authority (CA) to successfully authenticate against the FreeRADIUS server if it is configured to use EAP-TLS with OCSP certificate validation. OCSP is not enabled in the default configuration of FreeRADIUS. Solution - -------- Until now, there is no official patch for the vulnerability. Therefore, we strongly advise you to disable OCSP support in the FreeRADIUS configuration until an official patch by the packet maintainer is available. Instead, the use of certification revocation list (CRL) checking which is implemented by FreeRADIUS is recommended. Details (CVE-2011-2701) - ----------------------- In the file rlm_eap_tls.c, the ocsp_check() function performs a basic verification of the value that is returned by the OCSP service OCSP_basic_verify(), but it does not verify the status of the certificate itself. Thus, if an attacker has access to a revoked certificate and its matching private key, the attacker is able to get authenticated against the FreeRADIUS server. This allows the attacker to gain access to all network resources that are accessible due to the FreeRADIUS authentication, e.g. Internet access. To avoid the issue, the status of the certificate has to be checked with the OCSP_resp_find_status() function by comparing the returned status value against 'V_OCSP_CERTSTATUS_GOOD', and by checking the freshness of the OCSP response with OCSP_check_validity(). References - ---------- This advisory and further updates of it will be published at: <https://www.dfn-cert.de/informationen/Sicherheitsbulletins/dsb-2011-01. html> New releases, or patches, for the software can be downloaded from the official FreeRADIUS web site: <http://freeradius.org> Contact - ------- We created a basic patch for this issue which is not publicly available because of possible side effects and a missing test environment. However, we are willing to send our patch to all Linux/BSD vendors as a basis for their own patches. Any questions regarding this advisory, or the patch itself, can be sent to advisory (at) dfn-cert (dot) de. [email concealed] Please note that we will not make our patch publicly available. History - ------- 2011-07-01 Notified the FreeRADIUS project 2011-07-22 New version with a full description of the issue and the CVE identifier -----BEGIN PGP SIGNATURE----- iQEVAwUBTi2CGPNu3tfxLoPHAQIpcQf/bB1j7TPuP/252N+jxUlsh4TlV8KkBNP/ GrhMDl+35iq9+wtU4sn8JsuDP0lmTOKm7bEr1Iir9oCBN0bMWPzaWO/21U7Yqns7 IFlKn29aHgLeDWevnkxAUhFjHDEC/i0b7CSHqRcAtP2Fa5Z9TNlTDXIa3HXuOPev Z4KcKo4LA9v3wFcu/JSLiQcHezC+qJKkIA9wtsiAbcEwyBqBY/Jvqx0ccK859XIC jwBboxACIU+1hJvUBAv4u5F6jByQyegXPwe6tcnpYJi5Xd7xI3GJKm5r738L8NYW MyNjrbXOYUDb4MsyWsr4HJSzzfiTjGrgC0xVSNTaoTMGM7I/WurDKQ== =cnDb -----END PGP SIGNATURE-----