FreeRADIUS 3.0 through 3.0.19 Information Exposure Vulnerability

Summary

In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. 

Credit:

The information has been provided by Pedro Sampaio

The original article can be found at:https://freeradius.org/security/


Details

This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the “Dragonblood” attack.

 

Vulnerable Systems:

FreeRADIUS 3.0 through 3.0.19

 

CVE Information:

CVE-2019-13456

 

Disclosure Timeline:
Published Date:12/3/2019

Categories: News