CVE-2017-9148
First published: Mon May 29 2017(Updated: )
The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Freeradius Freeradius | =2.1.1 | |
| Freeradius Freeradius | =2.1.2 | |
| Freeradius Freeradius | =2.1.3 | |
| Freeradius Freeradius | =2.1.4 | |
| Freeradius Freeradius | =2.1.6 | |
| Freeradius Freeradius | =2.1.7 | |
| Freeradius Freeradius | =3.0.0 | |
| Freeradius Freeradius | =3.0.1 | |
| Freeradius Freeradius | =3.0.2 | |
| Freeradius Freeradius | =3.0.3 | |
| Freeradius Freeradius | =3.0.4 | |
| Freeradius Freeradius | =3.0.5 | |
| Freeradius Freeradius | =3.0.6 | |
| Freeradius Freeradius | =3.0.7 | |
| Freeradius Freeradius | =3.0.8 | |
| Freeradius Freeradius | =3.0.9 | |
| Freeradius Freeradius | =3.1.0 | |
| Freeradius Freeradius | =3.1.1 | |
| Freeradius Freeradius | =3.1.2 | |
| Freeradius Freeradius | =3.1.3 | |
| Freeradius Freeradius | =4.0.0 | |
| redhat/freeradius | <3.0.14 | 3.0.14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://freeradius.org/security.html
- http://seclists.org/oss-sec/2017/q2/422
- http://www.securityfocus.com/bid/98734
- http://www.securitytracker.com/id/1038576
- https://access.redhat.com/errata/RHSA-2017:1581
- https://security.gentoo.org/glsa/201706-27
- http://seclists.org/oss-sec/2017/q2/342
- https://github.com/FreeRADIUS/freeradius-server/commit/af030bd4
- https://github.com/FreeRADIUS/freeradius-server/commit/8f53382c
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1456698
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1287974&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1287974&action=edit
- https://bugzilla.redhat.com/show_bug.cgi?id=1456697
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-9148
- agent/software-canonical-lookup
- vendor/freeradius
- canonical/freeradius freeradius
- version/freeradius freeradius/2.1.1
- version/freeradius freeradius/2.1.2
- version/freeradius freeradius/2.1.3
- version/freeradius freeradius/2.1.4
- version/freeradius freeradius/2.1.6
- version/freeradius freeradius/2.1.7
- version/freeradius freeradius/3.0.0
- version/freeradius freeradius/3.0.1
- version/freeradius freeradius/3.0.2
- version/freeradius freeradius/3.0.3
- version/freeradius freeradius/3.0.4
- version/freeradius freeradius/3.0.5
- version/freeradius freeradius/3.0.6
- version/freeradius freeradius/3.0.7
- version/freeradius freeradius/3.0.8
- version/freeradius freeradius/3.0.9
- version/freeradius freeradius/3.1.0
- version/freeradius freeradius/3.1.1
- version/freeradius freeradius/3.1.2
- version/freeradius freeradius/3.1.3
- version/freeradius freeradius/4.0.0
- package-manager/redhat