[3.7] freeradius: Multiple vulnerabilities (CVE-2019-11234, CVE-2019-11235)
CVE-2019-11234: eap-pwd: fake authentication using reflection
A vulnerability was found in FreeRadius. An attacker can reflect the
received scalar and element from the server in it’s own commit message,
and subsequently reflect the confirm value as well. This causes
the adversary to successfully authenticate as the victim. Fortunately,
the adversary will not posses the negotiated session key, meaning the
adversary cannot actually perform any actions as this user.
Affected Versions:
freeradius 3.0.0 through 3.0.18
Fixed In Version:
freeradius 3.0.19
References:
https://freeradius.org/security/
https://freeradius.org/release\_notes/?br=3.0.x&re=3.0.19
Patches:
https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586
https://github.com/FreeRADIUS/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769
CVE-2019-11235: eap-pwd: authentication bypass via an invalid curve attack
A vulnerability was found in FreeRadius. An invalid curve attack allows
an attacker to authenticate as any user (without knowing the password).
The problem is
that on the reception of an EAP-PWD Commit frame, FreeRADIUS doesn’t
verify whether the received elliptic curve point is valid.
Fixed In Version:
freeradius 3.0.19
References:
https://freeradius.org/security/
https://security-tracker.debian.org/tracker/CVE-2019-11235
Patches:
https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586
https://github.com/FreeRADIUS/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769
(from redmine: issue id 10327, created on 2019-04-25, closed on 2019-04-29)
- Relations:
- parent #10324 (closed)
- Changesets:
- Revision 354ae2b1 on 2019-04-25T14:30:14Z:
main/freeradius: security fixes (CVE-2019-11234, CVE-2019-11235)
Fixes #10327