CVE-2019-11234 — Improper Authentication in Freeradius

CWE-287 — Improper Authentication11 documents9 sources

Severity

9.8CRITICALNVD

EPSS

13.4%

top 5.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freeradius Canonical Ubuntu Linux Redhat Enterprise Linux

Timeline

PublishedApr 22

Latest updateMay 24

Description

FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDfreeradius/freeradius< 3.0.19

▶Debianfreeradius/freeradius< 3.0.17+dfsg-1.1+3

▶Ubuntufreeradius/freeradius< 3.0.16+dfsg-1ubuntu3.1

Also affects: Ubuntu Linux 18.04, 18.10, 19.04, Enterprise Linux 7.0

🔴Vulnerability Details

GHSA

GHSA-vwq6-jpj7-xqvx: FreeRADIUS before 3↗2022-05-24

▶

OSV

freeradius vulnerabilities↗2019-04-24

▶

OSV

CVE-2019-11234: FreeRADIUS before 3↗2019-04-22

▶

CVEList

CVE-2019-11234: FreeRADIUS before 3↗2019-04-21

▶

📋Vendor Advisories

Ubuntu

FreeRADIUS vulnerabilities↗2019-04-24

▶

Red Hat

freeradius: eap-pwd: fake authentication using reflection↗2019-04-10

▶

Debian

CVE-2019-11234: freeradius - FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication s...↗2019

▶

💬Community

HackerOne

Dragonblood: Design and Implementation Flaws in WPA3 and EAP-pwd↗2020-05-05

▶

Bugzilla

CVE-2019-11234 freeradius: eap-pwd: fake authentication using reflection [fedora-all]↗2019-04-12

▶

Bugzilla

CVE-2019-11234 freeradius: eap-pwd: fake authentication using reflection↗2019-04-03

▶