PT-2017-18730 · Freeradius+4 · Freeradius+4

Publicado

2017-05-29

·

Atualizado

2024-06-15

·

CVE-2017-9148

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions FreeRADIUS versions 2.1.1 through 2.1.7 FreeRADIUS versions 3.0.x before 3.0.14 FreeRADIUS versions 3.1.x before 2017-02-04 FreeRADIUS versions 4.0.x before 2017-02-04
Description The issue concerns the TLS session cache, which fails to prevent the resumption of an unauthenticated session. This allows remote attackers, such as malicious 802.1X supplicants, to bypass authentication via PEAP or TTLS.
Recommendations For FreeRADIUS versions 2.1.1 through 2.1.7, update to a version outside of this range to resolve the issue. For FreeRADIUS versions 3.0.x before 3.0.14, update to version 3.0.14 or later. For FreeRADIUS versions 3.1.x before 2017-02-04, update to a version released after 2017-02-04. For FreeRADIUS versions 4.0.x before 2017-02-04, update to a version released after 2017-02-04.

Correção

Improper Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-287

Identificadores relacionados

CESA-2017_1581
CVE-2017-9148
DLA-977-1
OPENSUSE-SU-2024:10767-1
RHSA-2017:1581
RHSA-2017_1581
SUSE-SU-2017:1705-1
SUSE-SU-2017:1777-1
SUSE-SU-2017_1705-1
USN-3316-1

Produtos afetados

Centos
Freeradius
Red Hat
Suse
Ubuntu