FreeRADIUS Insufficient Verification of Data Authenticity Vulnerability [CVE-2019-11235]

CVE Number – CVE-2019-11235

A vulnerability in FreeRADIUS could allow an unauthenticated, remote attacker to bypass authentication on a targeted system.

The vulnerability exists because the eap_pwd.c source code file of the affected software does not verify whether the received elliptic curve point is valid when an EAP-PWD commit frame is received. An attacker could exploit this vulnerability to conduct an invalid curve attack. A successful exploit could allow the attacker to bypass authentication, which could be used to conduct further attacks. 

FreeRADIUS has confirmed the vulnerability and released software updates.

Analysis

• To exploit this vulnerability, an attacker may need access to the same trusted, internal network in which the targeted system resides. This access requirement may reduce the likelihood of a successful exploit.

Safeguards

• Administrators are advised to apply the appropriate updates.
  
  Administrators are advised to allow only trusted users to have network access.
  
  Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
  
  Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
  
  Administrators can help protect affected systems from external attacks by using a solid firewall strategy.
  
  Administrators are advised to monitor affected systems.

Vendor Announcements

• FreeRADIUS has released a security advisory and git commits at the following links: 2019.04.10Authentication bypass in EAP-PWD, commit 85497b5ff37ccb656895b826b88585898c209586, and commit ab4c767099f263a7cd4109bcdca80ee74210a769

Fixed Software

• FreeRADIUS has released software updates at the following link: FreeRADIUS 3.0.19