FreeRadius CVE 2012-3547

Alan DeKok aland at deployingradius.com
Wed Sep 12 15:57:07 CEST 2012


Bruce Bauman wrote:
> Can anyone explain how I can test my own FreeRadius server to make sure it's not vulnerable?

  You don't need to test.  The announcement describes which versions are
vulnerable.

  http://freeradius.org/security.html

> What do I need to exploit this vulnerability?

  Create a certificate with a very large ASN time field.

> I suspect that my FreeRadius server was the victim of an attack and I want to make sure I'm OK now.

  I don't understand.  You can look at the version number, *or* the
source code to see if you have the offending code.

  Why do tests when you can verify it directly?

  Alan DeKok.



More information about the Freeradius-Devel mailing list