[RADIATOR] OSC Security advisory OSC-SEC-2014-01: Vulnerability in OSC Radiator EAP authentication could allow unauthenticated access
For HTML version, please see: https://www.open.com.au/OSC-SEC-2014-01.html Open System Consultants (OSC) Security Advisory OSC-SEC-2014-01 Vulnerability in OSC Radiator EAP authentication could allow unauthenticated access Published: December 3, 2014 10:00 am UTC | Updated December 4, 2014 8:00 am UTC Summary ++ A bug exists in Radiator Extended Authentication Protocol (EAP) implementation where a malicious client could bypass EAP method restrictions. A vulnerability caused by this bug was discovered in recent Radiator releases and requires urgent attention. This EAP bug together with an EAP method released in Radiator 4.10 create a vulnerability which could allow a malicious EAP client to gain unauthorised access from Radiator. A successful exploitation requires specially crafted EAP client software. The bug and the vulnerability were discovered by OSC's development team. OSC is not aware of public use of this vulnerability. Affected Radiator versions + 1. The vulnerability affects Radiator versions 4.9 + patches, 4.10 and up to 4.13. 2. The EAP bug affects all Radiator versions up to 4.13. Affected Radiator configurations + The EAP bug affects Radiator configurations which authenticate EAP messages. If your Radiator does not receive EAP messages, it is not affected. Radiator installations proxying EAP messages are not affected if they do not also authenticate EAP messages. Recommended action ++ OSC recommends upgrading to Radiator 4.14. If you cannot upgrade at this time, install backport to fix the EAP bug. * Download and upgrade to Radiator 4.14, or * Download Radiator 4.14, unpack the distribution package and install backport from goodies/Radiator-4.14-EAP-backport/ directory. OSC has created backports with release notes for previous Radiator releases * Restart Radiator after the upgrade or backport installation Mitigation of the vulnerability +++ If your Radiator version is vulnerable and you cannot upgrade or apply backports at this time, OSC recommends removing the EAP method released with Radiator 4.10 to remove the known vulnerability * If you run Radiator release 4.9 with patches, 4.10 or later up to 4.13, locate any instances of a file named EAP_16776957_4244372217.pm and remove them. * This file can be safely removed, since it is not needed in production environment * Restart Radiator when you have removed the files. Questions and Answers +++ What might an attacker use this vulnerability to do? An attacker could gain access to an authenticated resource without valid credentials. The authentication method must be based on the EAP protocol. Common examples are Wi-Fi networks with WPA-Enterprise and WPA2-Enterprise authentication. What is required to exploit this vulnerability? The attacker needs to develop a custom EAP supplicant (client software) to send specially crafted EAP messages. What is the difference between the vulnerability and the EAP bug? The EAP method restriction bypass is a bug which may cause further vulnerabilities if left unfixed. OSC strongly recommends upgrading to Radiator 4.14 or installing a backport included in the Radiator 4.14 distribution package to fix the bug. The EAP bug together with the test EAP method introduced in Radiator 4.9 + patches create the vulnerability which could be used to gain unauthorised access. OSC considers this as a vulnerability which requires urgent attention. -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator Version 4.14 released - includes a fix for EAP authentication vulnerability
We are pleased to announce the release of Radiator version 4.14
This version contains a fix for an EAP authentication vulnerability.
Upgrade is strongly recommended. Please review OSC security advisory
OSC-SEC-2014-01 for more information:
https://www.open.com.au/OSC-SEC-2014-01.html
As usual, the new version is available to current licensees from:
https://www.open.com.au/radiator/downloads/
and to current evaluators from:
https://www.open.com.au/radiator/demo-downloads
Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html
An extract from the history file
https://www.open.com.au/radiator/history.html is below:
-
Revision 4.14 (2014-12-03)
Selected fixes, compatibility notes and enhancements
Fixes a vulnerability and very significant bug in EAP authentication.
OSC recommends all users to review OSC security advisory
OSC-SEC-2014-01 to see if they are affected.
https://www.open.com.au/OSC-SEC-2014-01.html
Client findAddress() was changed to lookup CIDR clients before DEFAULT
client. Affects ServerTACACSPLUS and in some cases SessionDatabase
modules.
Added support for non-blocking sockets on Windows
SessionDatabase SQL queries now support bind variables
Detailed changes
Added VENDOR Allot 2603 and VSA Allot-User-Role to dictionary.
Added Diameter AVP flag hints in the Diameter Credit-Control
Application dictionary.
Prevented crash during startup when configured to support a Diameter
application for which no dictionary module was not present. Reported
by Arthur. Improved logging of loading of Diameter application
dictionary modules.
Improvements to AuthBy SIP2 to add support for SIP2Hook. SIP2Hook can
be used for patron authorisation and/or authentication. Added an
example hook goodies/sip2hook.pl. Added a new optional parameter
UsePatronInformationRequest for configurations in which Patron Status
Request is not sufficient.
Fixed a problem with SNMPAgent which could cause a crash if the
configuration had no Clients.
Stream and StreamServer sockets are now set to nonblocking mode on
Windows too. This allows for example, RadSec to use nonblocking
sockets on Windows.
radpwtst now honours -message_authenticator option for all request
types specified with the -code parameter.
Client.pm findAddress() was changed to look up CIDR clients before
DEFAULT client. This is the same order Client lookup for incoming
RADIUS requests uses. This affects mostly
ServerTACACSPLUS. SessionDatabase DBM, INTERNAL and SQL also use
findAddress() and are affected when Clients have NasType configured
for Simultaneous-Use online checking. Client lookup was simplified in
ServerTACACSPLUS.
Added VENDOR Cambium 17713 and four Cambium-Canopy VSAs to
dictionary. "RADIUS Attributes for IEEE 802 Networks" is now RFC
7268. Updated some of its attribute types.
AuthBy MULTICAST now checks first, not after, if the next hop host is
working before creating the request to forward. This will save cycles
when the next hop is not working.
Added VENDOR Apcon 10830 and VSA Apcon-User-Level to
dictionary. Contributed by Jason Griffith.
Added support for custom password hashes and other user defined
password check methods. When the new configuration parameter
CheckPasswordHook is defined for an AuthBy and the password retrieved
from the user database starts with leading '{OSC-pw-hook}', the
request, the submitted password and the retrieved password are passed
to the CheckPasswordHook. The hook must return true if the submitted
password is deemed correct. TranslatePasswordHook runs before
CheckPasswordHook and can be used to add '{OSC-pw-hook}' to the
retrieved passwords.
AuthLog SYSLOG and Log SYSLOG now check LogOpt during the
configuration check phase. Any problems are now logged with the
loggers Identifier.
The defaults for SessionDatabase SQL AddQuery and CountQuery now use
%0 where username is needed. Updated the documentation to clarify the
value of %0 for AddQuery, CountQuery, ReplaceQuery, UpdateQuery and
DeleteQuery: %0 is the quoted original username. However, if
SessionDatabaseUseRewrittenName is set for the Handler and the check
is done by Handler (MaxSessions) or AuthBy (DefaultSimultaneousUse),
then %0 is the rewritten username. For per-user session database
queries %0 is always the original username. Updated the documentation
for CountQuery to include %0 and %1. For CountQuery %1 is the value of
the simultaneous use limit.
Enhanced resolution of vendor names to Vendor-Id values for
SupportedVendorIds, VendorAuthApplicationIds and
VendorAcctApplicationIds. Keyword DictVendors for SupportedVendorIds
now includes vendors from all dictionaries that are loaded. Vendor
name in Vendor*ApplicationIds can be in any of the loaded dictionaries
in addition of being listed in DiaMsg module.
Added VENDOR InMon 4300 and VSA InMon-Access-Level to
dictionary. Contributed by Garry Shtern.
Added ReplyTimeoutHook to AuthBy RADIUS, called if no reply is hear
