CVE-2019-17185 : What You Need to Know

FreeRADIUS 3.0.x before version 3.0.20 is vulnerable to a Denial-of-Service (DoS) attack due to a flaw in the EAP-pwd module.

Understanding CVE-2019-17185

This CVE describes a vulnerability in FreeRADIUS 3.0.x that could allow an attacker to trigger a DoS attack by exploiting a concurrency issue in the EAP-pwd module.

What is CVE-2019-17185?

Before version 3.0.20 of FreeRADIUS 3.0.x, a problem existed in the EAP-pwd module where multiple threads could use the same OpenSSL BN_CTX instance concurrently, leading to crashes during concurrent EAP-pwd handshakes.

The Impact of CVE-2019-17185

This vulnerability could be exploited by an attacker to launch a DoS attack, potentially disrupting the availability of the FreeRADIUS service.

Technical Details of CVE-2019-17185

FreeRADIUS 3.0.x before version 3.0.20 is affected by this vulnerability.

Vulnerability Description

The EAP-pwd module in FreeRADIUS 3.0.x prior to 3.0.20 used a single OpenSSL BN_CTX instance for all handshakes, allowing multiple threads to use it simultaneously, resulting in crashes during concurrent EAP-pwd handshakes.

Affected Systems and Versions

Product: FreeRADIUS
Vendor: N/A
Versions affected: Before 3.0.20

Exploitation Mechanism

An attacker could exploit this vulnerability by initiating multiple EAP-pwd handshakes concurrently, causing crashes and potentially leading to a DoS condition.

Mitigation and Prevention

To address CVE-2019-17185, follow these mitigation strategies:

Immediate Steps to Take

Upgrade FreeRADIUS to version 3.0.20 or newer to mitigate the vulnerability.
Monitor network traffic for any signs of exploitation.

Long-Term Security Practices

Regularly update and patch FreeRADIUS to ensure the latest security fixes are in place.
Implement network segmentation and access controls to limit the impact of potential attacks.

Patching and Updates

Apply patches and updates provided by FreeRADIUS promptly to address known vulnerabilities.