freeradius denial of service in authentication flow
fw at deneb.enyo.de
Sun Feb 16 09:39:39 UTC 2014
* Alan DeKok:
> Florian Weimer wrote:
>> * Alan DeKok:
>>> That's an issue, but a rare one IMHO. The user has to exist on the
>>> system. So this isn't a remote DoS.
>> Could you elaborate on this assessment? Is this because typical data
>> sources for SSHA passwords limit the length of the salt and thus the
>> length of the SSHA hash?
> Partly. The typical use-case for a remote DoS is for an
> unauthenticated user to take down the system. Here, the user has to be
> known, *and* be able to create a long SSHA password.
> To me, this puts the issue into the category of "known users can do
> bad things", which is very different from "unknown users can do bad things".
Okay, fair enough.
As this is already public via
, I will request a CVE on oss-security.
More information about the freebsd-bugbusters