Freeradius: Security Vulnerabilities
The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.
CVSS Score
9.8
EPSS Score
0.012
Published
2017-05-29
FreeRADIUS 2.2.x before 2.2.8 and 3.0.x before 3.0.9 does not properly check revocation of intermediate CA certificates.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-04-05
The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a zero-length EAP-PWD packet.
CVSS Score
5.9
EPSS Score
0.005
Published
2017-03-27
The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to have unspecified impact via a crafted (1) commit or (2) confirm message, which triggers an out-of-bounds read.
CVSS Score
8.1
EPSS Score
0.005
Published
2017-03-27
Off-by-one error in the EAP-PWD module in FreeRADIUS 3.0 through 3.0.8, which triggers a buffer overflow.
CVSS Score
8.1
EPSS Score
0.005
Published
2017-03-27
Stack-based buffer overflow in the normify function in the rlm_pap module (modules/rlm_pap/rlm_pap.c) in FreeRADIUS 2.x, possibly 2.2.3 and earlier, and 3.x, possibly 3.0.1 and earlier, might allow attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password hash, as demonstrated by an SSHA hash.
CVSS Score
7.5
EPSS Score
0.009
Published
2014-11-02
modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when unix mode is enabled for user authentication, does not properly check the password expiration in /etc/shadow, which allows remote authenticated users to authenticate using an expired password.
CVSS Score
6.0
EPSS Score
0.006
Published
2013-03-12
Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS 2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via a long "not after" timestamp in a client certificate.
CVSS Score
6.8
EPSS Score
0.176
Published
2012-09-18
The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when OCSP is enabled, does not properly parse replies from OCSP responders, which allows remote attackers to bypass authentication by using the EAP-TLS protocol with a revoked X.509 client certificate.
CVSS Score
5.8
EPSS Score
0.005
Published
2011-08-04
The fr_dhcp_decode function in lib/dhcp.c in FreeRADIUS 2.1.9, in certain non-default builds, does not properly handle the DHCP Relay Agent Information option, which allows remote attackers to cause a denial of service (infinite loop and daemon outage) via a packet that has more than one sub-option. NOTE: some of these details are obtained from third party information.
CVSS Score
4.3
EPSS Score
0.008
Published
2010-10-07