Gentoo Logo

FreeRADIUS: Authentication bypass in EAP-MSCHAPv2 module

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200604-03 / freeradius
Release Date April 04, 2006
Latest Revision April 04, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-dialup/freeradius < 1.1.1 >= 1.1.1, < 1.0.0 All supported architectures

Related bugreports: #127229

Synopsis

The EAP-MSCHAPv2 module of FreeRADIUS is affected by a validation issue which causes some authentication checks to be bypassed.

2.  Impact Information

Background

FreeRADIUS is an open source RADIUS authentication server implementation.

Description

FreeRADIUS suffers from insufficient input validation in the EAP-MSCHAPv2 state machine.

Impact

An attacker could cause the server to bypass authentication checks by manipulating the EAP-MSCHAPv2 client state machine.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All FreeRADIUS users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dialup/freeradius-1.1.1"

4.  References

Print

Page updated April 04, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? Contact us.