FreeRadius CVE 2012-3547
Alan DeKok
aland at deployingradius.com
Wed Sep 12 15:57:07 CEST 2012
Bruce Bauman wrote:
> Can anyone explain how I can test my own FreeRadius server to make sure it's not vulnerable?
You don't need to test. The announcement describes which versions are
vulnerable.
http://freeradius.org/security.html
> What do I need to exploit this vulnerability?
Create a certificate with a very large ASN time field.
> I suspect that my FreeRadius server was the victim of an attack and I want to make sure I'm OK now.
I don't understand. You can look at the version number, *or* the
source code to see if you have the offending code.
Why do tests when you can verify it directly?
Alan DeKok.
More information about the Freeradius-Devel
mailing list