[arch-security] [ASA-201706-2] freeradius: authentication bypass

Remi Gacogne rgacogne at archlinux.org
Fri Jun 2 09:41:39 UTC 2017


Arch Linux Security Advisory ASA-201706-2
=========================================

Severity: High
Date    : 2017-06-02
CVE-ID  : CVE-2017-9148
Package : freeradius
Type    : authentication bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-281

Summary
=======

The package freeradius before version 3.0.14-3 is vulnerable to
authentication bypass.

Resolution
==========

Upgrade to 3.0.14-3.

# pacman -Syu "freeradius>=3.0.14-3"

The problem has been fixed upstream in version 3.0.14.

Workaround
==========

None.

Description
===========

A security issue has been found in FreeRADIUS < 3.0.14. The
implementation of TTLS and PEAP in FreeRADIUS skips inner
authentication when it handles a resumed TLS connection. This is a
feature but there is a critical catch: the server must never allow
resumption of a TLS session until its initial connection gets to the
point where inner authentication has been finished successfully.
Unfortunately, affected versions of FreeRADIUS fail to reliably prevent
resumption of unauthenticated sessions unless the TLS session cache is
disabled completely and allow an attacker (e.g. a malicious supplicant)
to elicit EAP Success without sending any valid credentials.

Impact
======

A remote user can bypass authentication by starting then resuming an
unauthenticated TLS session.

References
==========

http://freeradius.org/press/index.html#3.0.14
http://seclists.org/oss-sec/2017/q2/342
https://security.archlinux.org/CVE-2017-9148

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170602/b6cda0af/attachment.asc>


More information about the arch-security mailing list