The following bug has been logged online: Bug reference: 5687 Logged by: Alan DeKok Email address: al...@freeradius.org PostgreSQL version: 9.0.0 Operating system: All Description: RADIUS Authentication issues Details:
CheckRADIUSAuth() in src/backend/libpq/auth.c is subject to spoofing attacks which can force all RADIUS authentications to fail. The current code does (at a high level) read packet close socket if (!verify packet) return STATUS_ERROR if (success) return STATUS_OK return STATUS_ERROR The source IP/port/RADIUS ID && authentication vector fields are checked *after* the socket is closed. This allows an attacker to "race" the RADIUS server, and spoof the response, forcing PostgreSQL to treat the authentication as failed. The code should instead do something like: do { read packet } while (! verify_packet); close socket if (success) return STATUS_OK return STATUS_ERROR The "verify packet" code could be moved to a separate function for this purpose. For similar code, see the rad_verify() function in: http://github.com/alandekok/freeradius-server/blob/v2.1.x/src/lib/radius.c -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs