Freeradius 2.2.x authentication bypass CVE-2017-9148
-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9148
The fix would seem to be never Enabling "EAP-TLS Cache"; disable it now if you've set it previously.
freeradius maintainers seem to be adopting a "won't fix" posture stating
Patches for those versions will not be released, as the issue can be corrected with a minor configuration change.
The pfSense package should probably reference the CVE now in the info section for this config section.
-
freeradius 2.x is deprecated; either putting a warning in the PFSense package or updating to 3 would be most appreciated.
-
According to these sites, FreeRADIUS 2.2.9 is not affected:
http://freeradius.org/security.html
http://www.securityfocus.com/bid/98734That said, 2.2.x is EOL and we're working on getting the package updated to FreeRADIUS 3.x.
-
I saw that FreeRadius 3.0.15 support was added to Available Packages.
Uninstalled freeradius2, installed freeradius3, and the configuration transfered over
quite nicely.
I imagine this was quite an undertaking, thanks much!Cheers