ByteOS Network

NVD Vulnerability Details :

CVE-2019-13456

Analyzed

Source-cve@mitre.org

Published At-03 Dec, 2019 | 20:15

Updated At-01 Jan, 2022 | 20:06

In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.5	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary	2.0	2.9	LOW	AV:A/AC:M/Au:N/C:P/I:N/A:N

CPE Matches

FreeRADIUS

>>freeradius>>Versions from 3.0.0(inclusive) to 3.0.19(inclusive)

cpe:2.3:a:freeradius:freeradius:*:*:*:*:*:*:*:*

Linux Kernel Organization, Inc

>>linux_kernel>>-

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux>>7.0

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux>>8.0

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

openSUSE

>>leap>>15.1

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-203	Primary	nvd@nist.gov

References

Hyperlink	Source	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00039.html	cve@mitre.org	Mailing List Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1737663	cve@mitre.org	Exploit Issue Tracking Patch Third Party Advisory
https://freeradius.org/security/	cve@mitre.org	Vendor Advisory
https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa	cve@mitre.org	Patch Third Party Advisory
https://wpa3.mathyvanhoef.com	cve@mitre.org	Exploit Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History