What is the severity of CVE-2014-2015?

CVE-2014-2015 is classified as a medium severity vulnerability due to its potential impact on service availability.

How do I fix CVE-2014-2015?

To mitigate CVE-2014-2015, users should upgrade FreeRADIUS to a patched version above 2.0.5 or apply appropriate workarounds to limit password size.

Who is affected by CVE-2014-2015?

CVE-2014-2015 affects FreeRADIUS versions from 2.0 to 3.0.1 that use the rlm_pap module.

What kind of attack can exploit CVE-2014-2015?

CVE-2014-2015 can be exploited by an authenticated user who deliberately provides an oversized password to crash the FreeRADIUS server.

Is CVE-2014-2015 already exploited in the wild?

As of the last update, there have been no confirmed public exploits targeting CVE-2014-2015 in the wild.

Vulnerability/
CVE-2014-2015

high

7.5

CWE

119

19/2/2014

2/11/2014

6/8/2024

CVE-2014-2015: Buffer Overflow

First published: Wed Feb 19 2014(Updated: )

Pierre Carrier reported a stack-based buffer overflow flaw in the FreeRADIUS rlm_pap module. An authenticated user could trigger this issue by creating a large password, causing FreeRADIUS to crash. The stack protector and SSP variable re-ordering protections should help prevent this issue from being used to execute arbitrary code. Upstream fixes: 2.x: <a href="https://github.com/FreeRADIUS/freeradius-server/commit/0d606cfc29a">https://github.com/FreeRADIUS/freeradius-server/commit/0d606cfc29a</a> 3.x: <a href="https://github.com/FreeRADIUS/freeradius-server/commit/ff5147c9e5088c7">https://github.com/FreeRADIUS/freeradius-server/commit/ff5147c9e5088c7</a> master: <a href="https://github.com/FreeRADIUS/freeradius-server/commit/f610864d4c8f51d">https://github.com/FreeRADIUS/freeradius-server/commit/f610864d4c8f51d</a> References: <a href="http://lists.freebsd.org/pipermail/freebsd-bugbusters/2014-February/000610.html">http://lists.freebsd.org/pipermail/freebsd-bugbusters/2014-February/000610.html</a>

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
FreeRADIUS FreeRADIUS	=2.0
FreeRADIUS FreeRADIUS	=2.0.1
FreeRADIUS FreeRADIUS	=2.0.2
FreeRADIUS FreeRADIUS	=2.0.3
FreeRADIUS FreeRADIUS	=2.0.4
FreeRADIUS FreeRADIUS	=2.0.5
FreeRADIUS FreeRADIUS	=2.1.0
FreeRADIUS FreeRADIUS	=2.1.1
FreeRADIUS FreeRADIUS	=2.1.2
FreeRADIUS FreeRADIUS	=2.1.3
FreeRADIUS FreeRADIUS	=2.1.4
FreeRADIUS FreeRADIUS	=2.1.6
FreeRADIUS FreeRADIUS	=2.1.7
FreeRADIUS FreeRADIUS	=2.1.8
FreeRADIUS FreeRADIUS	=2.1.9
FreeRADIUS FreeRADIUS	=2.1.10
FreeRADIUS FreeRADIUS	=2.1.11
FreeRADIUS FreeRADIUS	=2.1.12
FreeRADIUS FreeRADIUS	=2.2.0
FreeRADIUS FreeRADIUS	=2.2.1
FreeRADIUS FreeRADIUS	=2.2.2
FreeRADIUS FreeRADIUS	=2.2.3
FreeRADIUS FreeRADIUS	=3.0.0
FreeRADIUS FreeRADIUS	=3.0.1

Remedy

http://www.openwall.com/lists/oss-security/2014/02/18/3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2014-2015?
CVE-2014-2015 is classified as a medium severity vulnerability due to its potential impact on service availability.
How do I fix CVE-2014-2015?
To mitigate CVE-2014-2015, users should upgrade FreeRADIUS to a patched version above 2.0.5 or apply appropriate workarounds to limit password size.
Who is affected by CVE-2014-2015?
CVE-2014-2015 affects FreeRADIUS versions from 2.0 to 3.0.1 that use the rlm_pap module.
What kind of attack can exploit CVE-2014-2015?
CVE-2014-2015 can be exploited by an authenticated user who deliberately provides an oversized password to crash the FreeRADIUS server.
Is CVE-2014-2015 already exploited in the wild?
As of the last update, there have been no confirmed public exploits targeting CVE-2014-2015 in the wild.

agent/type
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2014-2015
agent/severity
agent/references
agent/remedy
agent/last-modified-date
agent/author
agent/description
agent/event
agent/trending
agent/source
agent/weakness
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/freeradius
canonical/freeradius freeradius
version/freeradius freeradius/2.0
version/freeradius freeradius/2.0.1
version/freeradius freeradius/2.0.2
version/freeradius freeradius/2.0.3
version/freeradius freeradius/2.0.4
version/freeradius freeradius/2.0.5
version/freeradius freeradius/2.1.0
version/freeradius freeradius/2.1.1
version/freeradius freeradius/2.1.2
version/freeradius freeradius/2.1.3
version/freeradius freeradius/2.1.4
version/freeradius freeradius/2.1.6
version/freeradius freeradius/2.1.7
version/freeradius freeradius/2.1.8
version/freeradius freeradius/2.1.9
version/freeradius freeradius/2.1.10
version/freeradius freeradius/2.1.11
version/freeradius freeradius/2.1.12
version/freeradius freeradius/2.2.0
version/freeradius freeradius/2.2.1
version/freeradius freeradius/2.2.2
version/freeradius freeradius/2.2.3
version/freeradius freeradius/3.0.0
version/freeradius freeradius/3.0.1

CVE-2014-2015: Buffer Overflow

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2014-2015?

How do I fix CVE-2014-2015?

Who is affected by CVE-2014-2015?

What kind of attack can exploit CVE-2014-2015?

Is CVE-2014-2015 already exploited in the wild?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2014-2015?

How do I fix CVE-2014-2015?

Who is affected by CVE-2014-2015?

What kind of attack can exploit CVE-2014-2015?

Is CVE-2014-2015 already exploited in the wild?