EAP/MSCHAPv2 code question
Julien.HOCHART at fr.thalesgroup.com
Julien.HOCHART at fr.thalesgroup.com
Wed Nov 15 15:15:50 CET 2006
Dear developers,
I was looking at the MSCHAPv2 code patched since version 1.1.0 of freeradius due to the "FreeRADIUS EAP-MSCHAPv2 Authentication Bypass Vulnerability" issue (CVE 2006/1354) in modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c (~l 450)
The changes concern the case where the server receives a success.
I actually cant figure how it can happen, because rfcs are always stating the server to send such messages to the clients.
Could someone let me know about it?
Thanks in advance,
--
Julien
More information about the Freeradius-Devel
mailing list