Freeradius
By the Year
In 2021 there have been 0 vulnerabilities in Freeradius . Last year Freeradius had 1 security vulnerability published. Right now, Freeradius is on track to have less security vulnerabilities in 2021 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2021 | 0 | 0.00 |
2020 | 1 | 7.50 |
2019 | 3 | 8.87 |
2018 | 0 | 0.00 |
It may take a day or so for new Freeradius vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest Freeradius Security Vulnerabilities
In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes
CVE-2019-17185
7.5 - High
- March 21, 2020
In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack.
CVE-2019-17185 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Improper Input Validation
** DISPUTED ** It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate
CVE-2019-10143
7 - High
- May 24, 2019
** DISPUTED ** It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user. NOTE: the upstream software maintainer has stated "there is simply no way for anyone to gain privileges through this alleged issue."
CVE-2019-10143 can be explotited with local system access, and requires small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.0 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
Permissions, Privileges, and Access Controls
FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing
CVE-2019-11234
9.8 - Critical
- April 22, 2019
FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.
CVE-2019-11234 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.
authentification
FreeRADIUS before 3.0.19 mishandles the "each participant verifies
CVE-2019-11235
9.8 - Critical
- April 22, 2019
FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.
CVE-2019-11235 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.
Insufficient Verification of Data Authenticity