A vulnerability was found in FreeRadius. An attacker can reflect the received scalar and element from the server in it's own commit message, and subsequently reflect the confirm value as well. This causes the adversary to successfully authenticate as the victim. Fortunately, the adversary will not posses the negotiated session key, meaning the adversary cannot actually perform any actions as this user.
Public now via upstream security page: https://freeradius.org/security/ Fixed upstream in freeradius 3.0.19: http://freeradius.org/release_notes/?br=3.0.x&re=3.0.19 Upstream commit: https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586 https://github.com/FreeRADIUS/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769
EAP-PWD support was first added in freeradius 3.0.0, so earlier versions as shipped in Red Hat Enterprise Linux 6 and earlier are not affected.
Decreasing the Impact of the flaw to Moderate and setting CIA:L because even though an attacker can use the reflection attack to authenticate as a victim user, he will not learn the negotiated session key and he cannot perform any actions as the victim.
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1699420]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1131 https://access.redhat.com/errata/RHSA-2019:1131
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1142 https://access.redhat.com/errata/RHSA-2019:1142