Executive Summary
| Summary | |
|---|---|
| Title | radsecproxy security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-2573 | First vendor Publication | 2012-11-10 |
| Vendor | Debian | Last vendor Modification | 2012-11-10 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 6.4 | Attack Range | Network |
| Cvss Impact Score | 4.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Ralf Paffrath reported that Radsecproxy, a RADIUS protocol proxy, mixed up pre- and post-handshake verification of clients. This vulnerability may wrongly accept clients without checking their certificate chain under certain configurations. Raphael Geissert spotted that the fix for CVE-2012-4523 was incomplete, giving origin to CVE-2012-4566. Both vulnerabilities are fixed with this update. Notice that this fix may make Radsecproxy reject some clients that are currently (erroneously) being accepted. For the stable distribution (squeeze), these problems have been fixed in version 1.4-1+squeeze1. For the testing distribution (wheezy), these problems have been fixed in version 1.6.2-1. For the unstable distribution (sid), these problems have been fixed in version 1.6.2-1. We recommend that you upgrade your radsecproxy packages. |
Original Source
| Url : http://www.debian.org/security/2012/dsa-2573 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:18256 | |||
| Oval ID: | oval:org.mitre.oval:def:18256 | ||
| Title: | DSA-2573-1 radsecproxy - SSL certificate verification weakness | ||
| Description: | Ralf Paffrath reported that Radsecproxy, a RADIUS protocol proxy, mixed up pre- and post-handshake verification of clients. This vulnerability may wrongly accept clients without checking their certificate chain under certain configurations. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2573-1 CVE-2012-4523 CVE-2012-4566 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | radsecproxy |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-11-16 | Name : Debian Security Advisory DSA 2573-1 (radsecproxy) File : nvt/deb_2573_1.nasl |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2012-11-12 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2573.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:31:27 |
|
| 2012-11-20 21:21:21 |
|
| 2012-11-20 13:23:34 |
|
| 2012-11-11 00:18:59 |
|
