Security liabilities (Re: radiusd-freeradius history and future)
On Wed, Nov 12, 2003 at 09:18:38AM +1100, Paul Hampson wrote:
> On Tue, Nov 11, 2003 at 04:30:50PM -0500, Matt Zimmerman wrote:
> > CAN-2001-1376 and CAN-2001-1377 made the rounds last Spring, with advisories
> > from Red Hat, FreeBSD, SuSE, Conectiva, CERT, etc. These affected multiple
> > RADIUS implementations, of which FreeRADIUS was one, and required large
> > quantities of problematic code to be patched.
> Last Spring? December 2001/March 2002? And I thought my sense of
> time/space was poor. :-) 
Spring of last year is when the vendor advisories were coming out to fix
these bugs. I don't recall which were about freeradius, cistron, etc. They
were a lot of the same bugs in many implementations, including freeradius.
> The fixed FreeRADIUS was out December 2001, 6 days before the vendor
> notifications came out.
A new release is nice enough for those who are installing from source and
want the latest features, but this:
294 files changed, 13608 insertions(+), 2238 deletions(-)
is not acceptable for a security update.
> These both came from an audit of FreeRADIUS. To be frank, the general
> advice you'd get from the FreeRADIUS mailing list is "keep untrusted IP
> addresses" away from your RADIUS server. Both by FreeRADIUS configuration
> and firewall/TLS/VPN/RFC1918/whatever.
Properly filtering UDP traffic by source requires a level of features that
is generally lacking in low-end edge equipment like NAS boxes. If I recall
correctly, one of the two vulnerabilities mentioned above did not require
that the attacker know the shared secret, either, so I don't think that
security is something that a RADIUS implementation can punt on.
> Hmm, we have cistron as well, don't we? _And_ xtradius. I can see how
> you'd be glad we didn't have _three_ cistron-derived RADIUS servers to do
> security updates for...
We ship cistron, livingston/lucent, xtradius and yardradius in woody.
freeradius was in unstable until recently. I'm sure they all share at least
I can't even remember whether xtradius was properly reviewed or not. Of
course, we never heard from the maintainer, even in the year following the
disclosure of the bugs.
This is exactly the kind of situation I don't want going forward...there is
so much neglected software in Debian that bugs like these sometimes go
unnoticed, or even if they are noticed, the maintainer doesn't care enough
about stable to let anyone know about it. Maintainers are our first line of
defense against security problems, and usually the best informed about their
status, and yet maintainers who actively participate in the security update
process represent a minority (a valuable one).