freeradius denial of service in authentication flow
Florian Weimer
fw at deneb.enyo.de
Sun Feb 16 09:39:39 UTC 2014
* Alan DeKok:
> Florian Weimer wrote:
>> * Alan DeKok:
>>
>>> That's an issue, but a rare one IMHO. The user has to exist on the
>>> system. So this isn't a remote DoS.
>>
>> Could you elaborate on this assessment? Is this because typical data
>> sources for SSHA passwords limit the length of the salt and thus the
>> length of the SSHA hash?
>
> Partly. The typical use-case for a remote DoS is for an
> unauthenticated user to take down the system. Here, the user has to be
> known, *and* be able to create a long SSHA password.
>
> To me, this puts the issue into the category of "known users can do
> bad things", which is very different from "unknown users can do bad things".
Okay, fair enough.
As this is already public via
<http://lists.freebsd.org/pipermail/freebsd-bugbusters/2014-February/000610.html>
, I will request a CVE on oss-security.
More information about the freebsd-bugbusters
mailing list