In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack. Reference: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_20
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1816681]
Upstream fix : https://github.com/FreeRADIUS/freeradius-server/commit/6b522f8780813726799e6b8cf0f1f8e0ce2c8ebf
Freeradius versions 2.x and older are not vulnerable, because they do not support the eap-pwd module.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3984 https://access.redhat.com/errata/RHSA-2020:3984
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17185
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4799 https://access.redhat.com/errata/RHSA-2020:4799