Gentoo Logo

FreeRADIUS: Authentication bypass in EAP-MSCHAPv2 module


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200604-03 / freeradius
Release Date April 04, 2006
Latest Revision April 04, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-dialup/freeradius < 1.1.1 >= 1.1.1, < 1.0.0 All supported architectures

Related bugreports: #127229


The EAP-MSCHAPv2 module of FreeRADIUS is affected by a validation issue which causes some authentication checks to be bypassed.

2.  Impact Information


FreeRADIUS is an open source RADIUS authentication server implementation.


FreeRADIUS suffers from insufficient input validation in the EAP-MSCHAPv2 state machine.


An attacker could cause the server to bypass authentication checks by manipulating the EAP-MSCHAPv2 client state machine.

3.  Resolution Information


There is no known workaround at this time.


All FreeRADIUS users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dialup/freeradius-1.1.1"

4.  References


Page updated April 04, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.