Vulnerability Details CVE-2017-9148
The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 78.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://freeradius.org/security.html
- http://seclists.org/oss-sec/2017/q2/422
- http://www.securityfocus.com/bid/98734
- http://www.securitytracker.com/id/1038576
- https://access.redhat.com/errata/RHSA-2017:1581
- https://security.gentoo.org/glsa/201706-27
- http://freeradius.org/security.html
- http://seclists.org/oss-sec/2017/q2/422
- http://www.securityfocus.com/bid/98734
- http://www.securitytracker.com/id/1038576
- https://access.redhat.com/errata/RHSA-2017:1581
- https://security.gentoo.org/glsa/201706-27
Products affected by CVE-2017-9148
-
cpe:2.3:a:freeradius:freeradius:2.1.1
-
cpe:2.3:a:freeradius:freeradius:2.1.2
-
cpe:2.3:a:freeradius:freeradius:2.1.3
-
cpe:2.3:a:freeradius:freeradius:2.1.4
-
cpe:2.3:a:freeradius:freeradius:2.1.6
-
cpe:2.3:a:freeradius:freeradius:2.1.7
-
cpe:2.3:a:freeradius:freeradius:3.0.0
-
cpe:2.3:a:freeradius:freeradius:3.0.1
-
cpe:2.3:a:freeradius:freeradius:3.0.2
-
cpe:2.3:a:freeradius:freeradius:3.0.3
-
cpe:2.3:a:freeradius:freeradius:3.0.4
-
cpe:2.3:a:freeradius:freeradius:3.0.5
-
cpe:2.3:a:freeradius:freeradius:3.0.6
-
cpe:2.3:a:freeradius:freeradius:3.0.7
-
cpe:2.3:a:freeradius:freeradius:3.0.8
-
cpe:2.3:a:freeradius:freeradius:3.0.9
-
cpe:2.3:a:freeradius:freeradius:3.1.0
-
cpe:2.3:a:freeradius:freeradius:3.1.1
-
cpe:2.3:a:freeradius:freeradius:3.1.2
-
cpe:2.3:a:freeradius:freeradius:3.1.3
-
cpe:2.3:a:freeradius:freeradius:4.0.0