[Pkg-freeradius-maintainers] Bug#926958: VU#871675: Authentication bypass in EAP-PWD
Bernhard Schmidt
berni at debian.org
Fri Apr 12 18:55:29 BST 2019
Package: src:freeradius
Severity: important
Tags: security
3.0.19 has been released adressing some issues in EAP-PWD. The VU#
linked in the original advisory is not (yet?) accessible and I haven't
found a CVE for it.
Since FreeRADIUS is orphaned I'll look at doing an NMU when I find some
time, but likely not before early next week.
https://freeradius.org/security/
2019.04.10Authentication bypass in EAP-PWD
The EAP-PWD module is vulnerable to multiple issues, including
authentication bypass. This module is not enabled in the default
configuration. Administrators must manually enable it for their server
to be vulnerable. Version 3.0.0 through 3.0.18 are are affected.
The EAP-PWD module is vulnerable to side-channel and cache-based
attacks. The issue is discussed in more in Hostap 2019-2. The attack
requires the attacker to be able to run a program on the target device.
This is not commonly the case on an authentication server (EAP server),
so the most likely target for this would be a client device using
EAP-PWD. It is not clear at this time if the attack is possible between
multiple virtual machines on the same hardware.
Other issues with EAP-PWD were found earlier, and patched in Hostap. The
FreeRADIUS team was not notified of these attacks until recently. We
have now patched FreeRADIUS to address these issues.
Additional issues were found by Mathy Vanhoef as part of a deep
investigation into EAP-PWD. He also supplied patches to address the
issues. His report is included below. This issue is recorded in
VU#871675
We have released version 3.0.19 to address these issues.
More information about the Pkg-freeradius-maintainers
mailing list