openSSL heartbleed vulnerability - test with eapol_test?

Alan DeKok aland
Tue Apr 8 08:03:58 PDT 2014

Jouni Malinen wrote:
> A quick update on this.. I do have such a tool now, but I'm not planning
> on making it public today or for couple of days to give some more time
> for server side updates should any EAP server be vulnerable (it is way
> too easy to convert that tool to an attack tool over wireless..).

  Fixes have been pushed to the FreeRADIUS git repositories.  The
prevent the server from starting when using vulnerable OpenSSL
libraries, unless you set a configuration flag saying "I'm OK with this".

  From what I can tell, there's no other work-around.

  Some vendors distribute versions of FreeRADIUS which are 3-4 years out
of date.  I don't expect that they will patch or upgrade FreeRADIUS.
Instead, I expect them to patch OpenSSL.

> Anyway, it looks like misuse of OpenSSL APIs prevents most attack
> options for this case, so this may be somewhat less critical for EAP
> servers compared to other uses of TLS. I tested with couple RADIUS
> authentication servers and could not trigger the issue due to reasons
> that I confirmed to be because of incorrect OpenSSL API use..

  I'd like to know more.  Can you email me off-line?

>  (For
> completeness, I did fix one such case to verify that the test tool works
> and to confirm that this was indeed "safer" due to incorrect API use.).


  Alan DeKok.

More information about the Hostap mailing list