CVE-2017-10986
published 2017-07-17CVE-2017-10986: An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.
PriorityP272high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.04%
78.8th percentile
An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | freeradius | < freeradius 3.0.15+dfsg-1 (bookworm) | freeradius 3.0.15+dfsg-1 (bookworm) |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | >= 0 < 3.0.15+dfsg-1 | 3.0.15+dfsg-1 |
| freeradius | freeradius | >= 0 < 3.0.15+dfsg-1 | 3.0.15+dfsg-1 |
| freeradius | freeradius | >= 0 < 3.0.15+dfsg-1 | 3.0.15+dfsg-1 |
| freeradius | freeradius | >= 0 < 3.0.15+dfsg-1 | 3.0.15+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered when FreeRADIUS decodes 'string' options in an array within DHCP packets — specifically, dhcp_attr2vp() can be called with a memchr() length argument of -1, causing an infinite/over-read. Monitor for malformed DHCP requests sent to FreeRADIUS servers. ↗
- →Attack surface is any network device capable of sending DHCP packets to FreeRADIUS that includes string options in an option array. No authentication required — purely network-based DoS. ↗
- →Affected versions are FreeRADIUS 3.0.0 through 3.0.14 inclusive. Flag any deployment running these versions as vulnerable. ↗
- ·Only FreeRADIUS 3.x is affected; the 3.0.x branch before 3.0.15 is vulnerable. Red Hat Enterprise Linux 6 is listed as 'Not affected', and RHEL 5 packages are 'Will not fix', meaning patching focus should be on RHEL 7 / Fedora / Debian deployments running the 3.x branch. ↗
- ·The vulnerability is only exploitable if the FreeRADIUS server is configured to process DHCP packets (DHCP module enabled). Deployments using FreeRADIUS solely for RADIUS authentication without DHCP handling are not exposed. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
FreeRADIUS vulnerabilities
vendor_ubuntu·2017-07-27
CVE-2017-10978 FreeRADIUS vulnerabilities
Title: FreeRADIUS vulnerabilities
Summary: Several security issues were fixed in FreeRADIUS.
Guido Vranken discovered that FreeRADIUS incorrectly handled memory when
decoding packets. A remote attacker could use this issue to cause
FreeRADIUS to crash or hang, resulting in a denial of service, or possibly
execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
freeradius: Infinite read in dhcp_attr2vp()
vendor_redhat·2017-07-17·CVSS 7.5
CVE-2017-10986 [HIGH] CWE-125 freeradius: Infinite read in dhcp_attr2vp()
freeradius: Infinite read in dhcp_attr2vp()
An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.
An out-of-bounds read flaw was found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request.
Package: freeradius (Red Hat Enterprise Linux 5) - Will not fix
Package: freeradius2 (Red Hat Enterprise Linux 5) - Will not fix
Package: freeradius (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2017-10986: freeradius - An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read ...
vendor_debian·2017·CVSS 7.5
CVE-2017-10986 [HIGH] CVE-2017-10986: freeradius - An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read ...
An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.
Scope: local
bookworm: resolved (fixed in 3.0.15+dfsg-1)
bullseye: resolved (fixed in 3.0.15+dfsg-1)
forky: resolved (fixed in 3.0.15+dfsg-1)
sid: resolved (fixed in 3.0.15+dfsg-1)
trixie: resolved (fixed in 3.0.15+dfsg-1)
GHSA
GHSA-pm8x-gq82-f4p4: An FR-GV-303 issue in FreeRADIUS 3
ghsa_unreviewed·2022-05-13
CVE-2017-10986 [HIGH] CWE-835 GHSA-pm8x-gq82-f4p4: An FR-GV-303 issue in FreeRADIUS 3
An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.
OSV
CVE-2017-10986: An FR-GV-303 issue in FreeRADIUS 3
osv·2017-07-17·CVSS 7.5
CVE-2017-10986 [HIGH] CVE-2017-10986: An FR-GV-303 issue in FreeRADIUS 3
An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.
VulnCheck
freeradius freeradius Loop with Unreachable Exit Condition ('Infinite Loop')
vulncheck·2017·CVSS 7.5
CVE-2017-10986 [HIGH] freeradius freeradius Loop with Unreachable Exit Condition ('Infinite Loop')
freeradius freeradius Loop with Unreachable Exit Condition ('Infinite Loop')
An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.
Affected: freeradius freeradius
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.zscaler.com/resources/industry-reports/non-web-attack-surface-report.pdf
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-10986 freeradius: Infinite read in dhcp_attr2vp() [fedora-all]
bugzilla·2017-07-17·CVSS 7.5
CVE-2017-10986 [HIGH] CVE-2017-10986 freeradius: Infinite read in dhcp_attr2vp() [fedora-all]
CVE-2017-10986 freeradius: Infinite read in dhcp_attr2vp() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fe
Bugzilla
CVE-2017-10986 freeradius: Infinite read in dhcp_attr2vp()
bugzilla·2017-07-07·CVSS 7.5
CVE-2017-10986 [HIGH] CVE-2017-10986 freeradius: Infinite read in dhcp_attr2vp()
CVE-2017-10986 freeradius: Infinite read in dhcp_attr2vp()
When decoding "string" options in an array, dhcp_attr2vp() could be convinced to call memchr() with a length argument of -1. This could result in an over-read until the first zero octet was found, or a page fault occured.
The security impact is denial of service by any network device capable of sending DHCP packets to FreeRADIUS, which sends string options to the server in an option array.
Affected versions: 3.0.0 through 3.0.14, inclusive.
Discussion:
Acknowledgments:
Name: the FreeRADIUS project
Upstream: Guido Vranken
---
Created attachment 1295268
Proposed patch
---
Created freeradius tracking bugs for this issue:
Affects: fedora-all [bug 1471864]
---
This issue has been addressed in the following products:
Red Ha
http://freeradius.org/security/fuzzer-2017.htmlhttp://www.debian.org/security/2017/dsa-3930http://www.securityfocus.com/bid/99971https://access.redhat.com/errata/RHSA-2017:2389http://freeradius.org/security/fuzzer-2017.htmlhttp://www.debian.org/security/2017/dsa-3930http://www.securityfocus.com/bid/99971https://access.redhat.com/errata/RHSA-2017:2389
2017-07-17
Published
Exploited in the wild