Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 6 Jun 2017 23:56:42 +0200 (CEST)
From: Pavel Kankovsky <>
Subject: CVE-2017-9148 FreeRADIUS TLS resumption authentication bypass

Due to various unfortunate circumstances, mostly related to my own
sloppiness and stupidity, several "alternative facts" made their way
into the advisory published on May 29:

1. Reports of EOL versions being vulnerable were greatly exaggerated.
Only versions 2.1.1 through 2.1.7 are actually vulnerable. Other versions
allow TLS resumption and skip inner authentication but they change their
mind and refuse access at the last moment. (I accept full responsibility
for this fiasco and as an act of penance I have reexamined and retested
every single FreeRADIUS release since 2.0.0.)

2. The attribution of the discovery to Stefan Winter was wrong. Further
inquiry into this matter has revealed the vulnerability was reported
"back in February" but the true identity of a person who reported it
remains unknown. (Stefan reported a different problem with session
resumption in early March and those two issues might have become
conflated but that is purely my speculation.)

Enclosed below is the corrected advisory. The timeline has been extended
to cover the complete history of the vulnerability.


Vendor: The FreeRADIUS Project

Product: FreeRADIUS server

Affected Versions:

2.x (EOL): 2.1.1 through 2.1.7.

3.0.x (stable): All versions before 3.0.14.

3.1.x and 4.0.x (development): All versions before 2017-02-04.


The implementation of TTLS and PEAP in FreeRADIUS skips inner
authentication when it handles a resumed TLS connection. This is
a feature but there is a critical catch: the server must never allow
resumption of a TLS session until its initial connection gets to the point
where inner authentication has been finished successfully.

Unfortunately, affected versions of FreeRADIUS fail to reliably prevent
resumption of unauthenticated sessions unless the TLS session cache is
disabled completely and allow an attacker (e.g. a malicious supplicant) to
elicit EAP Success without sending any valid credentials.


(a) Disable TLS session caching. Set enabled = no in the cache subsection of
eap module settings (raddb/mods-enabled/eap in the standard v3.0.x-style

(b) Upgrade to version 3.0.14.


It is not known who was the first to discover this vulnerability.

Luboš Pavlíček of the University of Economics, Prague independently
rediscovered it in April 2017.


2008-09-05 Version 2.1.0 released. It was the first version supporting
TTLS session resumption/PEAP fast reauthentication.

2008-09-24 Vulnerability introduced (commit c6786c12).

2008-09-25 Version 2.1.1 released.

2009-09-14 Version 2.1.7 released.

2009-09-24 Vulnerability fixed (commit 776cf690).

2009-12-30 Version 2.1.8 released.

2011-05-11 Vulnerability reintroduced in v3.0.x branch (commit a3f08dcb).

2013-10-07 Version 3.0.0 released.

early February 2017: Vulnerability discovered (or rediscovered?) and
reported by an unknown person.

2017-02-03: The first (and mostly ineffective) attempt to fix the
vulnerability in v3.0.x branch (commits 5aabc3b1 and 6b909d0c).

2017-02-04 Vulnerability fixed in v3.1.x and v4.0.x branches (commits
813a93a7 and c703ad96, respectively).

2017-03-06 Version 3.0.13 released without any explicit indication that it
was supposed to fix a serious vulnerability (but it was probably better
that way because the vulnerability was not really fixed).

2017-04-24 Vulnerability rediscovered by Luboš Pavlíček.

2017-04-25 PoC exploit developed and used to confirm 3.0.13 is still
vulnerable. Vulnerability reported... again.

2017-05-08 The second (and hopefully final) attempt to fix the
vulnerability in v3.0.x (commits af030bd4 and 8f53382c).

2017-05-26 Version 3.0.14 released.


[1] <>
[2] <>

Pavel Kankovsky aka Peak                      "Que sçay-je?"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.