(RADIATOR) radius vulnerabilities and radiator specific response
Mike McCauley
mikem at open.com.au
Tue May 31 17:20:44 CDT 2005
Hello Stephane,
On Wednesday 01 June 2005 01:34, DELORT Stephane wrote:
> Hello,
>
> I was glad to see that Radiator does not have any flaws logged by the CERT
> : http://www.cert.org/advisories/CA-2002-06.html
No, Radiator does not have any code derived from the old freeware Radius
servers, and in any case, Perl does not suffer from these types of C-based
buffer overflow problems.
>
> Anyway, I saw on [1] that the RADIUS protocol still has vulnerabilities
> such as :
>
> 1 Response Authenticator Based Shared Secret Attack
> 2 User-Password Attribute Cipher Design Comments
> 3 User-Password Attribute Based Shared Secret Attack
> 4 User-Password Based Password Attack
> 5 Request Authenticator Based Attacks
> - Passive User-Password Compromise Through Repeated Request
> Authenticators - Active User-Password Compromise through Repeated Request
> Authenticators - Replay of Server Responses through Repeated Request
> Authenticators - DOS Arising from the Prediction of the Request
> Authenticator
> 6 Shared Secret Hygiene
>
> I also noticed that using PEAP and MSCHAPv2 secure the
> request/[access|reject] exchanges and made some attacks more difficult or
> impossible (since a quantum processor is not yet released). I am well aware
> that the website from which I picked up this information had been last
> updated in 2001. Moreover some 'tricks' might require time and expertise
> before leading an attack to success. But anyway, can anyone told me if
> these vulnerabilities are still open and more accuratly with Radiator ?
These vulnerabilites are inherent in the Radius protocol, which was poorly
designed from a security point of view. To the list should be added 'password
dictionary attacks using Cisco LEAP'.
Radiator offers an easy way to mitigate or eliminate most of these
vulnerabilites when proxying between radius servers, by using the RadSec
protocol to carry Radius across encrypted and mutually authenticated TCP or
SCTP transports, see http://www.open.com.au/radiator/radsec-whitepaper.pdf
>
>
> Kind regards,
> Stéphane
>
>
> [1] http://www.untruth.org/~josh/security/radius/radius-auth.html
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list