PT-2017-18730 · Freeradius+4 · Freeradius+4

Published

2017-05-29

Updated

2024-06-15

CVE-2017-9148

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FreeRADIUS versions 2.1.1 through 2.1.7 FreeRADIUS versions 3.0.x before 3.0.14 FreeRADIUS versions 3.1.x before 2017-02-04 FreeRADIUS versions 4.0.x before 2017-02-04

Description The issue concerns the TLS session cache, which fails to prevent the resumption of an unauthenticated session. This allows remote attackers, such as malicious 802.1X supplicants, to bypass authentication via PEAP or TTLS.

Recommendations For FreeRADIUS versions 2.1.1 through 2.1.7, update to a version outside of this range to resolve the issue. For FreeRADIUS versions 3.0.x before 3.0.14, update to version 3.0.14 or later. For FreeRADIUS versions 3.1.x before 2017-02-04, update to a version released after 2017-02-04. For FreeRADIUS versions 4.0.x before 2017-02-04, update to a version released after 2017-02-04.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CESA-2017_1581

CVE-2017-9148

DLA-977-1

OPENSUSE-SU-2024:10767-1

RHSA-2017:1581

RHSA-2017_1581

SUSE-SU-2017:1705-1

SUSE-SU-2017:1777-1

SUSE-SU-2017_1705-1

USN-3316-1

Affected Products

Centos

Freeradius

Red Hat

Suse

Ubuntu

PT-2017-18730 · Freeradius+4 · Freeradius+4

CVE-2017-9148

Weakness Enumeration

Related Identifiers

Affected Products

References · 52