[arch-security] [ASA-201706-2] freeradius: authentication bypass
rgacogne at archlinux.org
Fri Jun 2 09:41:39 UTC 2017
Arch Linux Security Advisory ASA-201706-2
Date : 2017-06-02
CVE-ID : CVE-2017-9148
Package : freeradius
Type : authentication bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-281
The package freeradius before version 3.0.14-3 is vulnerable to
Upgrade to 3.0.14-3.
# pacman -Syu "freeradius>=3.0.14-3"
The problem has been fixed upstream in version 3.0.14.
A security issue has been found in FreeRADIUS < 3.0.14. The
implementation of TTLS and PEAP in FreeRADIUS skips inner
authentication when it handles a resumed TLS connection. This is a
feature but there is a critical catch: the server must never allow
resumption of a TLS session until its initial connection gets to the
point where inner authentication has been finished successfully.
Unfortunately, affected versions of FreeRADIUS fail to reliably prevent
resumption of unauthenticated sessions unless the TLS session cache is
disabled completely and allow an attacker (e.g. a malicious supplicant)
to elicit EAP Success without sending any valid credentials.
A remote user can bypass authentication by starting then resuming an
unauthenticated TLS session.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security