freeradius denial of service in authentication flow

Florian Weimer fw at
Sun Feb 16 09:39:39 UTC 2014

* Alan DeKok:

> Florian Weimer wrote:
>> * Alan DeKok:
>>>   That's an issue, but a rare one IMHO.  The user has to exist on the
>>> system.  So this isn't a remote DoS.
>> Could you elaborate on this assessment?  Is this because typical data
>> sources for SSHA passwords limit the length of the salt and thus the
>> length of the SSHA hash?
>   Partly.  The typical use-case for a remote DoS is for an
> unauthenticated user to take down the system.  Here, the user has to be
> known, *and* be able to create a long SSHA password.
>   To me, this puts the issue into the category of "known users can do
> bad things", which is very different from "unknown users can do bad things".

Okay, fair enough.

As this is already public via


, I will request a CVE on oss-security.

More information about the freebsd-bugbusters mailing list