GLSA 201706-27: FreeRADIUS: Security bypass
| Severity: | normal |
| Title: | FreeRADIUS: Security bypass |
| Date: | 06/27/2017 |
| Bugs: | |
| ID: | 201706-27 |
Synopsis
A vulnerability in FreeRADIUS might allow remote attackers to bypass authentication.Background
FreeRADIUS is an open source RADIUS authentication server.
Affected packages
| Package | Vulnerable | Unaffected | Architecture(s) |
|---|---|---|---|
| net-dialup/freeradius | < 3.0.14 | >= 3.0.14 | All supported architectures |
Description
It was discovered that the implementation of TTLS and PEAP in FreeRADIUS skips inner authentication when it handles a resumed TLS connection. The affected versions of FreeRADIUS fails to reliably prevent the resumption of unauthenticated sessions unless the TLS session cache is disabled completely.
Impact
An unauthenticated remote user can bypass authentication by starting a session, and then resuming an unauthenticated TLS session before inner authentication has been completed successfully.
Workaround
Set “enabled = no” in the cache subsection of eap module settings to disable TLS session caching.
Resolution
All FreeRADIUS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dialup/freeradius-3.0.14"
References
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.