ALT Linux Team

Package freeradius update in c10f2 on 2025-07-12

ALT-PU-2025-9144-3

Package freeradius updated to version 3.2.7-alt1 for branch c10f2 in task 389400.

Closed vulnerabilities

Published: 2024-07-09

BDU:2024-05180

Уязвимость реализации протокола аутентификации RADIUS связана с обходом процедуры аутентификации посредством захвата-воспроизведения (capture-replay) перехваченных сообщений. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить несанкционированный доступ путём подделки аутентификационного ответа

Severity: HIGH (7.5) Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: MEDIUM (6.8) Vector: AV:A/AC:H/Au:N/C:C/I:C/A:C
References:
Published: 2023-01-17
Modified: 2025-04-07

CVE-2022-41860

In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2023-01-17
Modified: 2025-04-07

CVE-2022-41861

A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-07-09
Modified: 2025-09-04

CVE-2024-3596

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

Severity: CRITICAL (9.0) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top