Vigil@nce - FreeRADIUS: incomplete validation of X.509 certificate for TLS
July 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use X.509 certificates from revoked CA in order to
be accepted by FreeRADIUS.
Impacted products: FreeRADIUS
Severity: 1/4
Creation date: 22/06/2015
DESCRIPTION OF THE VULNERABILITY
The FreeRADIUS product may use CRLs to validate the X.509
certificates used in TLS connections.
However, certificate lookup in CRLs is done only for leaf
certificates (for server or client), and not for the intermediate
CA certificates. So certificates which have been issued by a
revoked CA remains approved. (A whole CA may be revoked after an
incident which creates doubts about the certification private key
secrecy.)
An attacker can therefore use X.509 certificates from revoked CA
in order to be accepted by FreeRADIUS.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN