Description
It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user. NOTE: the upstream software maintainer has stated "there is simply no way for anyone to gain privileges through this alleged issue."
CVSS breakdown
CVSS 3.0
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- freeradius / freeradiusaffects <= 3.0.19 – affects <= 3.0.19
References
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TKODLHHUOVAYENTBP4D3N25ST3Q6LJBP/
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6VKBZAZKJP5QKXDXRKCM2ZPZND3TFAX/
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3353
- MAILING_LISThttp://seclists.org/fulldisclosure/2019/Nov/14
- MISChttps://freeradius.org/security/
- EXPLOIThttp://packetstormsecurity.com/files/155361/FreeRadius-3.0.19-Logrotate-Privilege-Escalation.html
- MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10143
- PATCHhttps://github.com/FreeRADIUS/freeradius-server/pull/2666