On Apr 8, 2014, at 3:36 PM, Alan DeKok <aland@deployingradius.com> wrote:
Jouni Malinen wrote:
Unfortunately, it looks like this is not as clear as this statement seems to indicate. It turned out that my initial setup did not show the issue (and I still cannot reproduce it on that setup for some unknown reason). However, a fresh installation of the exact same FreeRADIUS version (and also couple of other versions I tested) on a virtual host with a different OS variant does seem to indicated limited form of this OpenSSL vulnerability being triggerable through FreeRADIUS EAP PEAP/TTLS implementation. This does not seem to open as large a window for getting useful data as other use cases with OpenSSL, but it is unknown whether some critical memory contents could be revealed.
I've updated the security notification to reflect this information:
http://freeradius.org/security.html
Alan DeKok.
Do you know if we will see this message: Invalid ACK received: 24 with freeradius using openssl 1.0.1g when a heartbleed attack is attempted? Thanks for your time, — DaveD