Bug 1695783 (CVE-2019-11234)

Summary: CVE-2019-11234 freeradius: eap-pwd: fake authentication using reflection
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ascheel, dpal, fdvorak, jdennis, lemenkov, nikolai.kondrashov, pkis, rharwood, rschiron, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeradius 3.0.19 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:53:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1699419, 1699420, 1699421, 1699422, 1705370, 1705375    
Bug Blocks: 1695784    

Description Laura Pardo 2019-04-03 18:06:32 UTC 
A vulnerability was found in FreeRadius. An attacker can reflect the received scalar and element from the server in it's own commit message, and subsequently reflect the confirm value as well. This causes the adversary to successfully authenticate as the victim. Fortunately, the adversary will not posses the negotiated session key, meaning the adversary cannot actually perform any actions as this user.
Comment 1 Tomas Hoger 2019-04-11 20:24:24 UTC 
Public now via upstream security page:

https://freeradius.org/security/

Fixed upstream in freeradius 3.0.19:

http://freeradius.org/release_notes/?br=3.0.x&re=3.0.19

Upstream commit:

https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586
https://github.com/FreeRADIUS/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769
Comment 3 Tomas Hoger 2019-04-11 20:33:58 UTC 
EAP-PWD support was first added in freeradius 3.0.0, so earlier versions as shipped in Red Hat Enterprise Linux 6 and earlier are not affected.
Comment 4 Riccardo Schirone 2019-04-12 16:00:21 UTC 
Decreasing the Impact of the flaw to Moderate and setting CIA:L because even though an attacker can use the reflection attack to authenticate as a victim user, he will not learn the negotiated session key and he cannot perform any actions as the victim.
Comment 5 Riccardo Schirone 2019-04-12 16:14:27 UTC 
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1699420]
Comment 13 errata-xmlrpc 2019-05-09 15:09:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1131 https://access.redhat.com/errata/RHSA-2019:1131
Comment 14 errata-xmlrpc 2019-05-13 05:01:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1142 https://access.redhat.com/errata/RHSA-2019:1142