Statement on OpenSSL security bug

Jouni Malinen jkmalinen at gmail.com
Tue Apr 8 22:15:28 CEST 2014


On Tue, Apr 8, 2014 at 9:35 PM, Alan DeKok <aland at deployingradius.com> wrote:
>   Thanks to Jouni Malinen for providing test cases and more detailed
> information about the bug.

Unfortunately, it looks like this is not as clear as this statement
seems to indicate. It turned out that my initial setup did not show
the issue (and I still cannot reproduce it on that setup for some
unknown reason). However, a fresh installation of the exact same
FreeRADIUS version (and also couple of other versions I tested) on a
virtual host with a different OS variant does seem to indicated
limited form of this OpenSSL vulnerability being triggerable through
FreeRADIUS EAP PEAP/TTLS implementation. This does not seem to open as
large a window for getting useful data as other use cases with
OpenSSL, but it is unknown whether some critical memory contents could
be revealed.

- Jouni


More information about the Freeradius-Users mailing list