What is the severity of CVE-2017-9148?

CVE-2017-9148 has a medium severity level due to its ability to bypass authentication.

How do I fix CVE-2017-9148?

To mitigate CVE-2017-9148, upgrade FreeRADIUS to version 3.0.14 or later.

Which versions of FreeRADIUS are affected by CVE-2017-9148?

FreeRADIUS versions 2.1.1 through 2.1.7, all 3.0.x versions before 3.0.14, and 3.1.x versions before February 4, 2017, are affected.

Can CVE-2017-9148 be exploited remotely?

Yes, remote attackers can exploit CVE-2017-9148 to bypass authentication.

What type of attacks can CVE-2017-9148 facilitate?

CVE-2017-9148 can facilitate unauthorized access via unauthenticated session resumption.

Vulnerability/
CVE-2017-9148

critical

9.8

CWE

287

29/5/2017

17/2/2021

CVE-2017-9148

First published: Mon May 29 2017(Updated: )

The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/freeradius	<3.0.14	3.0.14
FreeRADIUS FreeRADIUS	=2.1.1
FreeRADIUS FreeRADIUS	=2.1.2
FreeRADIUS FreeRADIUS	=2.1.3
FreeRADIUS FreeRADIUS	=2.1.4
FreeRADIUS FreeRADIUS	=2.1.6
FreeRADIUS FreeRADIUS	=2.1.7
FreeRADIUS FreeRADIUS	=3.0.0
FreeRADIUS FreeRADIUS	=3.0.1
FreeRADIUS FreeRADIUS	=3.0.2
FreeRADIUS FreeRADIUS	=3.0.3
FreeRADIUS FreeRADIUS	=3.0.4
FreeRADIUS FreeRADIUS	=3.0.5
FreeRADIUS FreeRADIUS	=3.0.6
FreeRADIUS FreeRADIUS	=3.0.7
FreeRADIUS FreeRADIUS	=3.0.8
FreeRADIUS FreeRADIUS	=3.0.9
FreeRADIUS FreeRADIUS	=3.1.0
FreeRADIUS FreeRADIUS	=3.1.1
FreeRADIUS FreeRADIUS	=3.1.2
FreeRADIUS FreeRADIUS	=3.1.3
FreeRADIUS FreeRADIUS	=4.0.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2017-9148?
CVE-2017-9148 has a medium severity level due to its ability to bypass authentication.
How do I fix CVE-2017-9148?
To mitigate CVE-2017-9148, upgrade FreeRADIUS to version 3.0.14 or later.
Which versions of FreeRADIUS are affected by CVE-2017-9148?
FreeRADIUS versions 2.1.1 through 2.1.7, all 3.0.x versions before 3.0.14, and 3.1.x versions before February 4, 2017, are affected.
Can CVE-2017-9148 be exploited remotely?
Yes, remote attackers can exploit CVE-2017-9148 to bypass authentication.
What type of attacks can CVE-2017-9148 facilitate?
CVE-2017-9148 can facilitate unauthorized access via unauthenticated session resumption.

agent/type
agent/last-modified-date
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2017-9148
agent/software-canonical-lookup
agent/references
agent/severity
agent/author
agent/weakness
agent/description
agent/event
agent/trending
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/redhat
vendor/freeradius
canonical/freeradius freeradius
version/freeradius freeradius/2.1.1
version/freeradius freeradius/2.1.2
version/freeradius freeradius/2.1.3
version/freeradius freeradius/2.1.4
version/freeradius freeradius/2.1.6
version/freeradius freeradius/2.1.7
version/freeradius freeradius/3.0.0
version/freeradius freeradius/3.0.1
version/freeradius freeradius/3.0.2
version/freeradius freeradius/3.0.3
version/freeradius freeradius/3.0.4
version/freeradius freeradius/3.0.5
version/freeradius freeradius/3.0.6
version/freeradius freeradius/3.0.7
version/freeradius freeradius/3.0.8
version/freeradius freeradius/3.0.9
version/freeradius freeradius/3.1.0
version/freeradius freeradius/3.1.1
version/freeradius freeradius/3.1.2
version/freeradius freeradius/3.1.3
version/freeradius freeradius/4.0.0