Overview

File CVE-2019-11235.patch of Package freeradius-server.27524

commit 85497b5ff37ccb656895b826b88585898c209586
Author: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Date:   Tue Apr 9 15:17:19 2019 -0400

    When processing an EAP-pwd Commit frame, the peer's scalar and elliptic curve
    point were not validated. This allowed an adversary to bypass authentication,
    and impersonate any user.
    
    Fix this vulnerability by assuring the received scalar lies within the valid
    range, and by checking that the received element is not the point at infinity
    and lies on the elliptic curve being used.

commit ab4c767099f263a7cd4109bcdca80ee74210a769
Author: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Date:   Wed Apr 10 10:11:23 2019 +0100

    fix incorrectly named variable

Index: freeradius-server-3.0.3/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
===================================================================
--- freeradius-server-3.0.3.orig/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ freeradius-server-3.0.3/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -346,6 +346,15 @@ process_peer_commit (pwd_session_t *sess
     BN_bin2bn(ptr, BN_num_bytes(sess->prime), y);
     ptr += BN_num_bytes(sess->prime);
     BN_bin2bn(ptr, BN_num_bytes(sess->order), sess->peer_scalar);
+
+    /* validate received scalar */
+    if (BN_is_zero(sess->peer_scalar) ||
+        BN_is_one(sess->peer_scalar) ||
+        BN_cmp(sess->peer_scalar, sess->order) >= 0) {
+            ERROR("Peer's scalar is not within the allowed range");
+            goto fin;
+    }
+
     if (!EC_POINT_set_affine_coordinates_GFp(sess->group,
 					     sess->peer_element, x, y,
 					     bnctx)) {
@@ -353,6 +362,13 @@ process_peer_commit (pwd_session_t *sess
 	goto fin;
     }
 
+    /* validate received element */
+    if (!EC_POINT_is_on_curve(sess->group, sess->peer_element, bnctx) ||
+        EC_POINT_is_at_infinity(sess->group, sess->peer_element)) {
+           ERROR("Peer's element is not a point on the elliptic curve");
+           goto fin;
+    }
+
     /* check to ensure peer's element is not in a small sub-group */
     if (BN_cmp(cofactor, BN_value_one())) {
 	if (!EC_POINT_mul(sess->group, point, NULL,
@@ -366,6 +382,13 @@ process_peer_commit (pwd_session_t *sess
 	}
     }
 
+    /* detect reflection attacks */
+    if (BN_cmp(sess->peer_scalar, sess->my_scalar) == 0 ||
+        EC_POINT_cmp(sess->group, sess->peer_element, sess->my_element, bnctx) == 0) {
+            ERROR("Reflection attack detected");
+            goto fin;
+    }
+
     /* compute the shared key, k */
     if ((!EC_POINT_mul(sess->group, K, NULL, sess->pwe,
 		       sess->peer_scalar, bnctx)) ||
openSUSE Build Service is sponsored by
Places