cbcvebase.
CVE-2017-10986
published 2017-07-17

CVE-2017-10986: An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.

PriorityP272high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.04%
78.8th percentile
An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.

Affected

20 ranges
VendorProductVersion rangeFixed in
debianfreeradius< freeradius 3.0.15+dfsg-1 (bookworm)freeradius 3.0.15+dfsg-1 (bookworm)
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius
freeradiusfreeradius>= 0 < 3.0.15+dfsg-13.0.15+dfsg-1
freeradiusfreeradius>= 0 < 3.0.15+dfsg-13.0.15+dfsg-1
freeradiusfreeradius>= 0 < 3.0.15+dfsg-13.0.15+dfsg-1
freeradiusfreeradius>= 0 < 3.0.15+dfsg-13.0.15+dfsg-1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered when FreeRADIUS decodes 'string' options in an array within DHCP packets — specifically, dhcp_attr2vp() can be called with a memchr() length argument of -1, causing an infinite/over-read. Monitor for malformed DHCP requests sent to FreeRADIUS servers.
  • Attack surface is any network device capable of sending DHCP packets to FreeRADIUS that includes string options in an option array. No authentication required — purely network-based DoS.
  • Affected versions are FreeRADIUS 3.0.0 through 3.0.14 inclusive. Flag any deployment running these versions as vulnerable.
  • ·Only FreeRADIUS 3.x is affected; the 3.0.x branch before 3.0.15 is vulnerable. Red Hat Enterprise Linux 6 is listed as 'Not affected', and RHEL 5 packages are 'Will not fix', meaning patching focus should be on RHEL 7 / Fedora / Debian deployments running the 3.x branch.
  • ·The vulnerability is only exploitable if the FreeRADIUS server is configured to process DHCP packets (DHCP module enabled). Deployments using FreeRADIUS solely for RADIUS authentication without DHCP handling are not exposed.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.