Bug 1695748 (CVE-2019-11235) - CVE-2019-11235 freeradius: eap-pwd: authentication bypass via an invalid curve attack
Summary: CVE-2019-11235 freeradius: eap-pwd: authentication bypass via an invalid curv...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190410:1500...
Depends On: 1699417 1699413 1699414 1699415 1699416 1699418
Blocks: 1695784
TreeView+ depends on / blocked
 
Reported: 2019-04-03 17:38 UTC by Laura Pardo
Modified: 2019-06-10 10:53 UTC (History)
10 users (show)

Fixed In Version: freeradius 3.0.19
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:53:11 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1131 None None None 2019-05-09 15:09:23 UTC
Red Hat Product Errata RHSA-2019:1142 None None None 2019-05-13 05:01:45 UTC

Description Laura Pardo 2019-04-03 17:38:33 UTC
A vulnerability was found in FreeRadius. An invalid curve attack allows an attacker to authenticate as any user (without knowing the password). The problem is that on the reception of an EAP-PWD Commit frame, FreeRADIUS doesn't verify whether the received elliptic curve point is valid.

Comment 3 Tomas Hoger 2019-04-11 20:34:09 UTC
EAP-PWD support was first added in freeradius 3.0.0, so earlier versions as shipped in Red Hat Enterprise Linux 6 and earlier are not affected.

Comment 5 Riccardo Schirone 2019-04-12 16:09:53 UTC
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1699415]

Comment 7 Riccardo Schirone 2019-04-15 13:58:05 UTC
When a EAP-PWD Commit frame is received, a vulnerable implementation does not check that the received point is on the elliptic curve and that is not at infinity and/or it does not check that the received scalar is within the right range. Those conditions should be checked and the handshake should be aborted if the data is not valid.

Comment 14 errata-xmlrpc 2019-05-09 15:09:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1131 https://access.redhat.com/errata/RHSA-2019:1131

Comment 15 errata-xmlrpc 2019-05-13 05:01:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1142 https://access.redhat.com/errata/RHSA-2019:1142


Note You need to log in before you can comment on or make changes to this bug.