CVE-2022-41859: 
NixOS vulnerability analysis and mitigation

CVE-2022-41859 affects the FreeRADIUS server, specifically the EAP-PWD function computepasswordelement(). The vulnerability was discovered by Mohamed Sabt and his team at the University of Rennes and was disclosed in April 2022. The issue allows an attacker to obtain information about passwords, which can be used to significantly reduce the complexity of offline dictionary attacks (FreeRADIUS Security).

The vulnerability exists in the computepasswordelement() function within the EAP-PWD module, which leaks information about the password through side-channel information. This information leakage allows attackers to substantially reduce the size of an offline dictionary attack. Similar vulnerabilities were also identified and fixed in other implementations like hostapd and iwd. The issue was addressed in commit 9e5e8f2f of the FreeRADIUS server repository (GitHub Commit).

The vulnerability enables attackers to perform more efficient offline dictionary attacks against passwords by leveraging the leaked information from the EAP-PWD function. This significantly reduces the computational resources needed to crack passwords, making password compromise more feasible (NVD).

The vulnerability was fixed in the FreeRADIUS server through commit 9e5e8f2f. Organizations should update to a patched version of FreeRADIUS. For Debian systems, fixed versions are available in bookworm (3.2.1+dfsg-4+deb12u1) and later releases (Debian Security).