Bug 1695783 (CVE-2019-11234) - CVE-2019-11234 freeradius: eap-pwd: fake authentication using reflection
Summary: CVE-2019-11234 freeradius: eap-pwd: fake authentication using reflection
Alias: CVE-2019-11234
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1699419 1699420 1699421 1699422 1705370 1705375
Blocks: 1695784
TreeView+ depends on / blocked
Reported: 2019-04-03 18:06 UTC by Laura Pardo
Modified: 2019-09-29 15:10 UTC (History)
10 users (show)

Fixed In Version: freeradius 3.0.19
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:53:13 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1131 0 None None None 2019-05-09 15:09:24 UTC
Red Hat Product Errata RHSA-2019:1142 0 None None None 2019-05-13 05:01:46 UTC

Description Laura Pardo 2019-04-03 18:06:32 UTC
A vulnerability was found in FreeRadius. An attacker can reflect the received scalar and element from the server in it's own commit message, and subsequently reflect the confirm value as well. This causes the adversary to successfully authenticate as the victim. Fortunately, the adversary will not posses the negotiated session key, meaning the adversary cannot actually perform any actions as this user.

Comment 3 Tomas Hoger 2019-04-11 20:33:58 UTC
EAP-PWD support was first added in freeradius 3.0.0, so earlier versions as shipped in Red Hat Enterprise Linux 6 and earlier are not affected.

Comment 4 Riccardo Schirone 2019-04-12 16:00:21 UTC
Decreasing the Impact of the flaw to Moderate and setting CIA:L because even though an attacker can use the reflection attack to authenticate as a victim user, he will not learn the negotiated session key and he cannot perform any actions as the victim.

Comment 5 Riccardo Schirone 2019-04-12 16:14:27 UTC
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1699420]

Comment 13 errata-xmlrpc 2019-05-09 15:09:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1131 https://access.redhat.com/errata/RHSA-2019:1131

Comment 14 errata-xmlrpc 2019-05-13 05:01:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1142 https://access.redhat.com/errata/RHSA-2019:1142

Note You need to log in before you can comment on or make changes to this bug.