[Secure-testing-team] Bug#700669: pyrad: CVE-2013-0294 and CVE-2013-0295
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 15 22:29:12 UTC 2013
Package: pyrad
Version: 2.0-1
Severity: grave
Tags: security
Control: found -1 1.2-1
Hi,
the following vulnerabilities were published for pyrad.
CVE-2013-0294[0]:
potentially predictable password hashing
CVE-2013-0295[1]:
CreateID() creates serialized packet IDs for RADIUS
Note: it's currently under discussion if there should only be assigned
one CVE for this issue.
A patch is available at [2] using random.SystemRandom() for to use
cryptographic-safe random generator instead of random. I have choosen
severity grave because of this reasoning:
CVE-2013-0294: [...] In the case of the authenticator data, it was being
used to secure a password sent over the wire. Because Python's random
module is not really suited for this purpose (not random enough), it
could lead to password hashing that may be predictable.
CVE-2013-0295: [...] This is not suitable for RADIUS as the RFC
specifies that the ID must not be predictable. As a result, the ID of
the next packet sent can be spoofed.
(from Red Hat bugreports)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://security-tracker.debian.org/tracker/CVE-2013-0294
[1] http://security-tracker.debian.org/tracker/CVE-2013-0295
[2] https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5
Regards,
Salvatore
More information about the Secure-testing-team
mailing list