- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FreeRADIUS: Security bypass Date: June 27, 2017 Bugs: #620186 ID: 201706-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in FreeRADIUS might allow remote attackers to bypass authentication. Background ========== FreeRADIUS is an open source RADIUS authentication server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-dialup/freeradius < 3.0.14 >= 3.0.14 Description =========== It was discovered that the implementation of TTLS and PEAP in FreeRADIUS skips inner authentication when it handles a resumed TLS connection. The affected versions of FreeRADIUS fails to reliably prevent the resumption of unauthenticated sessions unless the TLS session cache is disabled completely. Impact ====== An unauthenticated remote user can bypass authentication by starting a session, and then resuming an unauthenticated TLS session before inner authentication has been completed successfully. Workaround ========== Set "enabled = no" in the cache subsection of eap module settings to disable TLS session caching. Resolution ========== All FreeRADIUS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dialup/freeradius-3.0.14" References ========== [ 1 ] CVE-2017-9148 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9148 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-27 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --v5beFq0t2bePFNfD8oJd4ak3INf1J0Xgx--