First published: Wed Apr 03 2019(Updated: )
A vulnerability was found in FreeRadius. An attacker can reflect the received scalar and element from the server in it's own commit message, and subsequently reflect the confirm value as well. This causes the adversary to successfully authenticate as the victim. Fortunately, the adversary will not posses the negotiated session key, meaning the adversary cannot actually perform any actions as this user.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Freeradius Freeradius | <3.0.19 | |
Fedoraproject Fedora | ||
Redhat Enterprise Linux | =7.0 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Canonical Ubuntu Linux | =19.04 | |
redhat/freeradius | <3.0.19 | 3.0.19 |
debian/freeradius | 3.0.21+dfsg-2.2+deb11u1 3.2.1+dfsg-4+deb12u1 3.2.5+dfsg-3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.