CVE-2017-10984
published 2017-07-17CVE-2017-10984: An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service…
PriorityP357critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
18.32%
96.9th percentile
An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | freeradius | < freeradius 3.0.15+dfsg-1 (bookworm) | freeradius 3.0.15+dfsg-1 (bookworm) |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | >= 0 < 3.0.15+dfsg-1 | 3.0.15+dfsg-1 |
| freeradius | freeradius | >= 0 < 3.0.15+dfsg-1 | 3.0.15+dfsg-1 |
| freeradius | freeradius | >= 0 < 3.0.15+dfsg-1 | 3.0.15+dfsg-1 |
| freeradius | freeradius | >= 0 < 3.0.15+dfsg-1 | 3.0.15+dfsg-1 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rhjh-xx2h-53xh: An FR-GV-301 issue in FreeRADIUS 3
ghsa_unreviewed·2022-05-14
CVE-2017-10984 [CRITICAL] CWE-787 GHSA-rhjh-xx2h-53xh: An FR-GV-301 issue in FreeRADIUS 3
An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code.
OSV
CVE-2017-10984: An FR-GV-301 issue in FreeRADIUS 3
osv·2017-07-17·CVSS 9.8
CVE-2017-10984 [CRITICAL] CVE-2017-10984: An FR-GV-301 issue in FreeRADIUS 3
An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code.
Ubuntu
FreeRADIUS vulnerabilities
vendor_ubuntu·2017-07-27
CVE-2017-10978 FreeRADIUS vulnerabilities
Title: FreeRADIUS vulnerabilities
Summary: Several security issues were fixed in FreeRADIUS.
Guido Vranken discovered that FreeRADIUS incorrectly handled memory when
decoding packets. A remote attacker could use this issue to cause
FreeRADIUS to crash or hang, resulting in a denial of service, or possibly
execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
freeradius: Out-of-bounds write in data2vp_wimax()
vendor_redhat·2017-07-17·CVSS 9.8
CVE-2017-10984 [CRITICAL] CWE-787 freeradius: Out-of-bounds write in data2vp_wimax()
freeradius: Out-of-bounds write in data2vp_wimax()
An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code.
An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to crash the FreeRADIUS server or to execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet.
Package: freeradius (Red Hat Enterprise Linux 5) - Not affected
Package: freeradius2 (Red Hat Enterprise Linux 5) - Not affected
Package: freeradius (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2017-10984: freeradius - An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in dat...
vendor_debian·2017·CVSS 9.8
CVE-2017-10984 [CRITICAL] CVE-2017-10984: freeradius - An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in dat...
An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code.
Scope: local
bookworm: resolved (fixed in 3.0.15+dfsg-1)
bullseye: resolved (fixed in 3.0.15+dfsg-1)
forky: resolved (fixed in 3.0.15+dfsg-1)
sid: resolved (fixed in 3.0.15+dfsg-1)
trixie: resolved (fixed in 3.0.15+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-10984 freeradius: Out-of-bounds write in data2vp_wimax() [fedora-all]
bugzilla·2017-07-17·CVSS 9.8
CVE-2017-10984 [CRITICAL] CVE-2017-10984 freeradius: Out-of-bounds write in data2vp_wimax() [fedora-all]
CVE-2017-10984 freeradius: Out-of-bounds write in data2vp_wimax() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported version
Bugzilla
CVE-2017-10984 freeradius: Out-of-bounds write in data2vp_wimax()
bugzilla·2017-07-07·CVSS 9.8
CVE-2017-10984 [CRITICAL] CVE-2017-10984 freeradius: Out-of-bounds write in data2vp_wimax()
CVE-2017-10984 freeradius: Out-of-bounds write in data2vp_wimax()
Out-of-bounds write in data2vp_wimax() when sending WiMAX attributes which have the "continuation" flag set, but for which there is no subsequent data was found.
The security impact is possible remote code exectuion by anyone who can send packets which are accepted by the server.
Affected versions: 3.0.0 through 3.0.14, inclusive.
Discussion:
Acknowledgments:
Name: the FreeRADIUS project
Upstream: Guido Vranken
---
Created attachment 1295272
Proposed patch 1/2
---
Created attachment 1295273
Proposed patch 2/2
---
Created freeradius tracking bugs for this issue:
Affects: fedora-all [bug 1471861]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2389 https://
http://freeradius.org/security/fuzzer-2017.htmlhttp://www.debian.org/security/2017/dsa-3930http://www.securityfocus.com/bid/99876https://access.redhat.com/errata/RHSA-2017:2389http://freeradius.org/security/fuzzer-2017.htmlhttp://www.debian.org/security/2017/dsa-3930http://www.securityfocus.com/bid/99876https://access.redhat.com/errata/RHSA-2017:2389
2017-07-17
Published