====================================================================

                           CERT-Renater

               Note d'Information No. 2015/VULN117
_____________________________________________________________________

DATE                : 23/06/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Freeradius versions prior to
                          2.2.8 and 3.0.9.

======================================================================
http://freeradius.org/security.html
______________________________________________________________________

Vulnerability Notifications

    2015.06.22 Revoked intermediate certificates

    are not properly validated. oCert-CVE 2015-4680.

    All versions which implement EAP-TLS, prior to 2.2.8 and 3.0.9 do
not check intermediate CAs for revocation. We have put patches into the
version 2 and version 3 branches to fix these issues.

    We expect that this issue has minimal effect on the majority of
RADIUS systems. If you are using a self-signed CA for 802.1X, this
issue does not affect you. If you are using certificates from a public
CA, then your system will likely permit third parties to issue
certificates which can be accepted by your RADIUS server. In that case,
the intentional configuration of the system has security problems which
overshadow this one.

    The original reporter disagreed with our description of affected
systems, and the impact. We requested additional information, and were
told "no". We can only conclude that the description above is correct,
and that the reporter is incorrect.


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================