SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   FreeRADIUS Vendors:   FreeRADIUS Server Project
(CentOS Issues Fix) FreeRADIUS Resumed TLS Session Cache Flaw Lets Remote Users Bypass Authentication on the Target System
SecurityTracker Alert ID:  1038812
SecurityTracker URL:  http://securitytracker.com/id/1038812
CVE Reference:   CVE-2017-9148   (Links to External Site)
Date:  Jun 30 2017
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.0.14
Description:   A vulnerability was reported in FreeRADIUS. A remote user can bypass authentication.

A remote user (supplicant) without authentication credentials can exploit a flaw in the processing of resumed TLS sessions to bypass authentication and cause the target server to issue an Extensible Authentication Protocol (EAP) Success message.

Stefan Winter of the RESTENA Foundation and Lubo Pavlieek of the University of Economics, Prague, separately reported this vulnerability.

Impact:   A remote user can bypass authentication and cause the target server to issue an EAP Success message.
Solution:   CentOS has issued a fix.

x86_64:
e895ea654c98537bf02e45b515a675a320cfaccaaf70acb2212e91a9460a9b56 freeradius-3.0.4-8.el7_3.x86_64.rpm
1228fe62648d13c7d759eae75048ebff83b19ab047464dd5e134d7e5a3febc00 freeradius-devel-3.0.4-8.el7_3.i686.rpm
32f42995ac7a3a533e866ed92412e6fe0024dec1c017bc0739346502f2a59ecb freeradius-devel-3.0.4-8.el7_3.x86_64.rpm
27d77c1285a4cfc5796840bb1c785c5731329f58f620008594a37f9e5e5d449b freeradius-doc-3.0.4-8.el7_3.x86_64.rpm
a786335ea27fa948d7633cefefb1764668e0ec894cc8b2a99db4aca2469198b6 freeradius-krb5-3.0.4-8.el7_3.x86_64.rpm
3db445ffdc95ef63f49ab783d30a79fa995df12d842182212dd8bc1c57ee1f8e freeradius-ldap-3.0.4-8.el7_3.x86_64.rpm
18db49e251705a17b1126e4f3bd290ecce35e85f5515219fb00a2533517f87e5 freeradius-mysql-3.0.4-8.el7_3.x86_64.rpm
d7cae7b0375d58347ce836c5cd6940bca9192e68012144c9c8e45911765ae09a freeradius-perl-3.0.4-8.el7_3.x86_64.rpm
a0bc59f12af00a751cfddd4d0cdb88dd9ef254107a0359206a0749d11ebb063b freeradius-postgresql-3.0.4-8.el7_3.x86_64.rpm
278f234880380da762db32c9dbba70bd9d008e5179b15817219c13727a7733d4 freeradius-python-3.0.4-8.el7_3.x86_64.rpm
94ff3a4278a3620f14b2650c58fe860a8269cb11ae4fd0310f0b3fb799b0ab3b freeradius-sqlite-3.0.4-8.el7_3.x86_64.rpm
3d66c88fa201d2779941d1c18c156875c45fa77c7350f1239fd615dd5f260f21 freeradius-unixODBC-3.0.4-8.el7_3.x86_64.rpm
69f41f6fb446c27593d9f4c2e6dd2b2f678dcbc67511e8e2675b762d961ea660 freeradius-utils-3.0.4-8.el7_3.x86_64.rpm

Source:
dd9e10305ebc787276e016981bc619d52a3522d47471a80c33cc4895876712f5 freeradius-3.0.4-8.el7_3.src.rpm

Cause:   Authentication error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
May 29 2017 FreeRADIUS Resumed TLS Session Cache Flaw Lets Remote Users Bypass Authentication on the Target System



 Source Message Contents

Subject:  [CentOS-announce] CESA-2017:1581 Important CentOS 7 freeradius Security Update


CentOS Errata and Security Advisory 2017:1581 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-1581.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
e895ea654c98537bf02e45b515a675a320cfaccaaf70acb2212e91a9460a9b56  freeradius-3.0.4-8.el7_3.x86_64.rpm
1228fe62648d13c7d759eae75048ebff83b19ab047464dd5e134d7e5a3febc00  freeradius-devel-3.0.4-8.el7_3.i686.rpm
32f42995ac7a3a533e866ed92412e6fe0024dec1c017bc0739346502f2a59ecb  freeradius-devel-3.0.4-8.el7_3.x86_64.rpm
27d77c1285a4cfc5796840bb1c785c5731329f58f620008594a37f9e5e5d449b  freeradius-doc-3.0.4-8.el7_3.x86_64.rpm
a786335ea27fa948d7633cefefb1764668e0ec894cc8b2a99db4aca2469198b6  freeradius-krb5-3.0.4-8.el7_3.x86_64.rpm
3db445ffdc95ef63f49ab783d30a79fa995df12d842182212dd8bc1c57ee1f8e  freeradius-ldap-3.0.4-8.el7_3.x86_64.rpm
18db49e251705a17b1126e4f3bd290ecce35e85f5515219fb00a2533517f87e5  freeradius-mysql-3.0.4-8.el7_3.x86_64.rpm
d7cae7b0375d58347ce836c5cd6940bca9192e68012144c9c8e45911765ae09a  freeradius-perl-3.0.4-8.el7_3.x86_64.rpm
a0bc59f12af00a751cfddd4d0cdb88dd9ef254107a0359206a0749d11ebb063b  freeradius-postgresql-3.0.4-8.el7_3.x86_64.rpm
278f234880380da762db32c9dbba70bd9d008e5179b15817219c13727a7733d4  freeradius-python-3.0.4-8.el7_3.x86_64.rpm
94ff3a4278a3620f14b2650c58fe860a8269cb11ae4fd0310f0b3fb799b0ab3b  freeradius-sqlite-3.0.4-8.el7_3.x86_64.rpm
3d66c88fa201d2779941d1c18c156875c45fa77c7350f1239fd615dd5f260f21  freeradius-unixODBC-3.0.4-8.el7_3.x86_64.rpm
69f41f6fb446c27593d9f4c2e6dd2b2f678dcbc67511e8e2675b762d961ea660  freeradius-utils-3.0.4-8.el7_3.x86_64.rpm

Source:
dd9e10305ebc787276e016981bc619d52a3522d47471a80c33cc4895876712f5  freeradius-3.0.4-8.el7_3.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC