Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian FreeRADIUS Packaging Team
<pkg-freeradius-maintain...@lists.alioth.debian.org>
* CVE-2019-13456: side-channel leak where 1 in 2048 handshakes fail
* CVE-2019-17185: DoS due to multithreaded BN_CTX access
* Add upstream fix for a crash bug. (Closes: #992036)
This fixes 2 CVEs (already fixed in bullseye),
and a crash that has been already fixed in a bullseye point release.
diff -Nru freeradius-3.0.17+dfsg/debian/changelog
freeradius-3.0.17+dfsg/debian/changelog
--- freeradius-3.0.17+dfsg/debian/changelog 2019-04-23 00:23:36.000000000
+0300
+++ freeradius-3.0.17+dfsg/debian/changelog 2022-08-27 22:29:38.000000000
+0300
@@ -1,3 +1,12 @@
+freeradius (3.0.17+dfsg-1.1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-13456: side-channel leak where 1 in 2048 handshakes fail
+ * CVE-2019-17185: DoS due to multithreaded BN_CTX access
+ * Add upstream fix for a crash bug. (Closes: #992036)
+
+ -- Adrian Bunk <b...@debian.org> Sat, 27 Aug 2022 22:29:38 +0300
+
freeradius (3.0.17+dfsg-1.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru
freeradius-3.0.17+dfsg/debian/patches/0001-EAP-pwd-fix-DoS-due-to-multithreaded-BN_CTX-access.patch
freeradius-3.0.17+dfsg/debian/patches/0001-EAP-pwd-fix-DoS-due-to-multithreaded-BN_CTX-access.patch
---
freeradius-3.0.17+dfsg/debian/patches/0001-EAP-pwd-fix-DoS-due-to-multithreaded-BN_CTX-access.patch
1970-01-01 02:00:00.000000000 +0200
+++
freeradius-3.0.17+dfsg/debian/patches/0001-EAP-pwd-fix-DoS-due-to-multithreaded-BN_CTX-access.patch
2022-08-27 22:27:54.000000000 +0300
@@ -0,0 +1,137 @@
+From 6b522f8780813726799e6b8cf0f1f8e0ce2c8ebf Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanh...@nyu.edu>
+Date: Fri, 4 Oct 2019 17:53:52 +0400
+Subject: EAP-pwd: fix DoS due to multithreaded BN_CTX access
+
+The EAP-pwd module created one global OpenSSL BN_CTX instance, and
+used this instance in all incoming requests. This means that different
+threads used the same BN_CTX instance, which can result in a crash.
+An adversary can trigger these crashes by concurrently initiating
+multiple EAP-pwd handshakes from different clients.
+
+Fix this bug by creating a separate BN_CTX instance for each request.
+---
+ .../rlm_eap/types/rlm_eap_pwd/eap_pwd.h | 1 +
+ .../rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c | 24 +++++++++----------
+ .../rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h | 2 --
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h
b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h
+index 013a6e7992..ca12778f61 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h
++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h
+@@ -90,6 +90,7 @@ typedef struct _pwd_session_t {
+ uint8_t *out; /* message to fragment */
+ size_t out_pos;
+ size_t out_len;
++ BN_CTX *bnctx;
+ EC_GROUP *group;
+ EC_POINT *pwe;
+ BIGNUM *order;
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
+index 76cc57023e..eefca985d7 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
+@@ -55,8 +55,6 @@ static int mod_detach (void *arg)
+
+ inst = (eap_pwd_t *) arg;
+
+- if (inst->bnctx) BN_CTX_free(inst->bnctx);
+-
+ return 0;
+ }
+
+@@ -76,11 +74,6 @@ static int mod_instantiate (CONF_SECTION *cs, void
**instance)
+ return -1;
+ }
+
+- if ((inst->bnctx = BN_CTX_new()) == NULL) {
+- cf_log_err_cs(cs, "Failed to get BN context");
+- return -1;
+- }
+-
+ return 0;
+ }
+
+@@ -96,6 +89,7 @@ static int _free_pwd_session (pwd_session_t *session)
+ EC_POINT_clear_free(session->pwe);
+ BN_clear_free(session->order);
+ BN_clear_free(session->prime);
++ BN_CTX_free(session->bnctx);
+
+ return 0;
+ }
+@@ -217,6 +211,12 @@ static int mod_session_init (void *instance,
eap_handler_t *handler)
+ session->order = NULL;
+ session->prime = NULL;
+
++ session->bnctx = BN_CTX_new();
++ if (session->bnctx == NULL) {
++ ERROR("rlm_eap_pwd: Failed to get BN context");
++ return 0;
++ }
++
+ /*
+ * The admin can dynamically change the MTU.
+ */
+@@ -496,7 +496,7 @@ static int mod_process(void *arg, eap_handler_t *handler)
+ /*
+ * compute our scalar and element
+ */
+- if (compute_scalar_element(session, inst->bnctx)) {
++ if (compute_scalar_element(session, session->bnctx)) {
+ DEBUG2("failed to compute server's scalar and element");
+ return 0;
+ }
+@@ -508,7 +508,7 @@ static int mod_process(void *arg, eap_handler_t *handler)
+ * element is a point, get both coordinates: x and y
+ */
+ if (!EC_POINT_get_affine_coordinates_GFp(session->group,
session->my_element, x, y,
+- inst->bnctx)) {
++ session->bnctx)) {
+ DEBUG2("server point assignment failed");
+ BN_clear_free(x);
+ BN_clear_free(y);
+@@ -552,7 +552,7 @@ static int mod_process(void *arg, eap_handler_t *handler)
+ /*
+ * process the peer's commit and generate the shared key, k
+ */
+- if (process_peer_commit(session, in, in_len, inst->bnctx)) {
++ if (process_peer_commit(session, in, in_len, session->bnctx)) {
+ RDEBUG2("failed to process peer's commit");
+ return 0;
+ }
+@@ -560,7 +560,7 @@ static int mod_process(void *arg, eap_handler_t *handler)
+ /*
+ * compute our confirm blob
+ */
+- if (compute_server_confirm(session, session->my_confirm,
inst->bnctx)) {
++ if (compute_server_confirm(session, session->my_confirm,
session->bnctx)) {
+ ERROR("rlm_eap_pwd: failed to compute confirm!");
+ return 0;
+ }
+@@ -591,7 +591,7 @@ static int mod_process(void *arg, eap_handler_t *handler)
+ RDEBUG2("pwd exchange is incorrect: not commit!");
+ return 0;
+ }
+- if (compute_peer_confirm(session, peer_confirm, inst->bnctx)) {
++ if (compute_peer_confirm(session, peer_confirm,
session->bnctx)) {
+ RDEBUG2("pwd exchange cannot compute peer's confirm");
+ return 0;
+ }
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
+index 189530d066..2264566bb6 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
+@@ -40,8 +40,6 @@
+ #include <freeradius-devel/modules.h>
+
+ typedef struct _eap_pwd_t {
+- BN_CTX *bnctx;
+-
+ uint32_t group;
+ uint32_t fragment_size;
+ char const *server_id;
+--
+2.30.2
+
diff -Nru
freeradius-3.0.17+dfsg/debian/patches/0001-EAP-pwd-fix-side-channel-leak-where-1-in-2018-handsh.patch
freeradius-3.0.17+dfsg/debian/patches/0001-EAP-pwd-fix-side-channel-leak-where-1-in-2018-handsh.patch
---
freeradius-3.0.17+dfsg/debian/patches/0001-EAP-pwd-fix-side-channel-leak-where-1-in-2018-handsh.patch
1970-01-01 02:00:00.000000000 +0200
+++
freeradius-3.0.17+dfsg/debian/patches/0001-EAP-pwd-fix-side-channel-leak-where-1-in-2018-handsh.patch
2022-08-27 22:28:06.000000000 +0300
@@ -0,0 +1,40 @@
+From 3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanh...@nyu.edu>
+Date: Wed, 5 Jun 2019 19:21:06 +0000
+Subject: EAP-pwd: fix side-channel leak where 1 in 2018 handshakes fail
+
+Previously the Hunting and Pecking algorithm of EAP-pwd aborted when
+more than 10 iterations are needed. Every iteration has a 50% chance
+of finding the password element. This means one in every 2048 handshakes
+will fail, in which case an error frame is sent to the client. This
+event leaks information that can be abused in an offline password
+brute-force attack. More precisely, the adversary learns that all 10
+iterations failed for the given random EAP-pwd token. Using the same
+techniques as in the Dragonblood attack, this can be used to brute-force
+the password.
+
+This patch fixes the above issue by executing enough iterations such that
+the password element is always found eventually.
+
+Note that timing and cache leaks remain a risk against the current
+implementation of EAP-pwd.
+---
+ src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+index c54f08c030..d94851c3aa 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+@@ -192,7 +192,7 @@ int compute_password_element (pwd_session_t *session,
uint16_t grp_num,
+ }
+ ctr = 0;
+ while (1) {
+- if (ctr > 10) {
++ if (ctr > 100) {
+ DEBUG("unable to find random point on curve for group
%d, something's fishy", grp_num);
+ goto fail;
+ }
+--
+2.30.2
+
diff -Nru freeradius-3.0.17+dfsg/debian/patches/allocate-from-the-request.diff
freeradius-3.0.17+dfsg/debian/patches/allocate-from-the-request.diff
--- freeradius-3.0.17+dfsg/debian/patches/allocate-from-the-request.diff
1970-01-01 02:00:00.000000000 +0200
+++ freeradius-3.0.17+dfsg/debian/patches/allocate-from-the-request.diff
2022-08-27 22:25:46.000000000 +0300
@@ -0,0 +1,34 @@
+From 7875ca06d1e312f55107c5e369097c7cb5369b53 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <al...@freeradius.org>
+Date: Thu, 5 Aug 2021 11:22:12 -0400
+Subject: [PATCH] allocate from the request, which is thread-safe. Helps with
+ #3188
+
+The "check" item is taken from the "huntgroups" file. It's in
+a statically allocated list which doesn't change, and shouldn't
+change during run-time. Allocating memory in its context is
+not thread-safe, and can cause issues
+---
+ src/main/pair.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/main/pair.c b/src/main/pair.c
+index 2f736d74cf7..3725ba1e10b 100644
+--- a/src/main/pair.c
++++ b/src/main/pair.c
+@@ -84,13 +84,13 @@ int radius_compare_vps(UNUSED REQUEST *request, VALUE_PAIR
*check, VALUE_PAIR *v
+ if (check->da->type == PW_TYPE_STRING) {
+ expr_p = check->vp_strvalue;
+ } else {
+- expr_p = expr = vp_aprints_value(check, check, '\0');
++ expr_p = expr = vp_aprints_value(request, check, '\0');
+ }
+
+ if (vp->da->type == PW_TYPE_STRING) {
+ value_p = vp->vp_strvalue;
+ } else {
+- value_p = value = vp_aprints_value(vp, vp, '\0');
++ value_p = value = vp_aprints_value(request, vp, '\0');
+ }
+
+ if (!expr_p || !value_p) {
diff -Nru freeradius-3.0.17+dfsg/debian/patches/series
freeradius-3.0.17+dfsg/debian/patches/series
--- freeradius-3.0.17+dfsg/debian/patches/series 2019-04-23
00:23:36.000000000 +0300
+++ freeradius-3.0.17+dfsg/debian/patches/series 2022-08-27
22:29:25.000000000 +0300
@@ -10,3 +10,6 @@
snakeoil-certs.diff
CVE-2019-11234-1.patch
CVE-2019-11234-2.patch
+0001-EAP-pwd-fix-DoS-due-to-multithreaded-BN_CTX-access.patch
+0001-EAP-pwd-fix-side-channel-leak-where-1-in-2018-handsh.patch
+allocate-from-the-request.diff
