Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Freeradius 2.2.x authentication bypass CVE-2017-9148

    pfSense Packages
    3
    4
    934
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whorfin
      last edited by

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9148

      The fix would seem to be never Enabling "EAP-TLS Cache"; disable it now if you've set it previously.

      freeradius maintainers seem to be adopting a "won't fix" posture stating

      Patches for those versions will not be released, as the issue can be corrected with a minor configuration change.

      The pfSense package should probably reference the CVE now in the info section for this config section.

      1 Reply Last reply Reply Quote 0
      • G
        gerby123
        last edited by

        freeradius 2.x is deprecated; either putting a warning in the PFSense package or updating to 3 would be most appreciated.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          According to these sites, FreeRADIUS 2.2.9 is not affected:

          http://freeradius.org/security.html
          http://www.securityfocus.com/bid/98734

          That said, 2.2.x is EOL and we're working on getting the package updated to FreeRADIUS 3.x.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • W
            whorfin
            last edited by

            I saw that FreeRadius 3.0.15 support was added to Available Packages.
            Uninstalled freeradius2, installed freeradius3, and the configuration transfered over
            quite nicely.
            I imagine this was quite an undertaking, thanks much!

            Cheers

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.