When an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.

All versions of FreeRADIUS from 0.9.3 to 3.0.25 which have the EAP-SIM module manually configured are affected.

The EAP-SIM module is not enabled in the default configuration. There is no sample configuration for the module, and no documentation on how to get it to work.

As a result, we expect that few sites are affected by this issue.

Any site which has configured EAP-SIM is vulnerable. Any malicious EAP-SIM peer can crash the server. No other actions other than the crash are possible.

This issue was found by Shane Guan, and reported to the freeradius-users mailing list.

The issue was fixed in commit f1cdbb.