FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeRADIUS -- TLS resumption authentication bypass

Affected packages
freeradius < 3.0.14
freeradius2 < 3.0.14
freeradius3 < 3.0.14

Details

VuXML ID 673dce46-46d0-11e7-a539-0050569f7e80
Discovery 2017-02-03
Entry 2017-06-01

Stefan Winter reports:

The TLS session cache in FreeRADIUS before 3.0.14 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.

[source]

References

CVE Name CVE-2017-9148
URL http://freeradius.org/security.html
URL http://seclists.org/oss-sec/2017/q2/342
URL http://www.securityfocus.com/bid/98734

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.