Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2019-17185

Published: 21 March 2020

In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
freeradius
Launchpad, Ubuntu, Debian
bionic
Released (3.0.16+dfsg-1ubuntu3.2)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(3.0.20+dfsg-3build1)
groovy Not vulnerable
(3.0.20+dfsg-3build1)
hirsute Not vulnerable
(3.0.20+dfsg-3build1)
impish Not vulnerable
(3.0.20+dfsg-3build1)
jammy Not vulnerable
(3.0.20+dfsg-3build1)
kinetic Not vulnerable
(3.0.20+dfsg-3build1)
precise Does not exist

trusty Does not exist

upstream
Released (3.0.20+dfsg-1)
xenial Not vulnerable
(code not present)