EAP/MSCHAPv2 code question

Julien.HOCHART at fr.thalesgroup.com Julien.HOCHART at fr.thalesgroup.com
Wed Nov 15 15:15:50 CET 2006


Dear developers, 

I was looking at the MSCHAPv2 code patched since version 1.1.0 of freeradius due to the "FreeRADIUS EAP-MSCHAPv2 Authentication Bypass Vulnerability" issue (CVE 2006/1354) in modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c (~l 450)

The changes concern the case where the server receives a success.
I actually cant figure how it can happen, because rfcs are always stating the server to send such messages to the clients.

Could someone let me know about it?

Thanks in advance, 

-- 
Julien





More information about the Freeradius-Devel mailing list