← Retour aux CVEs

CVE-2019-13456

MEDIUM

6.5

Description

In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494.

Details CVE

Score CVSS v3.16.5

SeveriteMEDIUM

Vecteur CVSSCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vecteur d'attaqueADJACENT_NETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie12/3/2019

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

freeradius:freeradiuslinux:linux_kernelopensuse:leapredhat:enterprise_linux

Faiblesses (CWE)

CWE-203

References

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00039.html(cve@mitre.org)

https://bugzilla.redhat.com/show_bug.cgi?id=1737663(cve@mitre.org)

https://freeradius.org/security/(cve@mitre.org)

https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa(cve@mitre.org)

https://wpa3.mathyvanhoef.com(cve@mitre.org)

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00039.html(af854a3a-2127-422b-91ae-364da2661108)

https://bugzilla.redhat.com/show_bug.cgi?id=1737663(af854a3a-2127-422b-91ae-364da2661108)

https://freeradius.org/security/(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa(af854a3a-2127-422b-91ae-364da2661108)

https://wpa3.mathyvanhoef.com(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.