Reset Search
 

 

Article

Extreme Control CVE-2019-11234 / CVE-2019-11235 "Dragonblood" Vulnerability Analysis

« Go Back

Information

 
TitleExtreme Control CVE-2019-11234 / CVE-2019-11235 "Dragonblood" Vulnerability Analysis
Question
Is Extreme Control (NAC) vulnerable to the following two security vulnerabilities - CVE-2019-11234, CVE-2019-11235 - aka "Dragonblood"?
Environment
  • Extreme Control (NAC)
  • CVE-2019-11234
  • CVE-2019-11235
  • FreeRADIUS
  • EAP-PWD
Answer
Both CVE-2019-11234 @ CVE-2019-11235 identify vulnerabilities in the EAP-PWD implementation of FreeRADIUS; a type of EAP service that Extreme Control does not support.

Never-the-less the recommended code changes to remedy these vulnerabilities are included with Extreme Control 8.4.2 (and above).
Additional notes
CVE-2019-11234 @ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11234 / https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11234.html
Description
FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.


CVE-2019-11235 @ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11235 / https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11235.html
Description
FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255