(RADIATOR) radius vulnerabilities and radiator specific response

Mike McCauley mikem at open.com.au
Tue May 31 17:20:44 CDT 2005 

Hello Stephane,


On Wednesday 01 June 2005 01:34, DELORT Stephane wrote:
> Hello,
>
> I was glad to see that Radiator does not have any flaws logged by the CERT
> : http://www.cert.org/advisories/CA-2002-06.html
No, Radiator does not have any code derived from the old freeware Radius 
servers, and in any case, Perl does not suffer from these types of C-based 
buffer overflow problems.


>
> Anyway, I saw on  [1] that the RADIUS protocol still has vulnerabilities
> such as :
>
> 1 Response Authenticator Based Shared Secret Attack
> 2 User-Password Attribute Cipher Design Comments
> 3 User-Password Attribute Based Shared Secret Attack
> 4 User-Password Based Password Attack
> 5 Request Authenticator Based Attacks
>   - Passive User-Password Compromise Through Repeated Request
> Authenticators - Active User-Password Compromise through Repeated Request
> Authenticators - Replay of Server Responses through Repeated Request
> Authenticators - DOS Arising from the Prediction of the Request
> Authenticator
> 6 Shared Secret Hygiene
>
> I also noticed that using PEAP and MSCHAPv2 secure the
> request/[access|reject] exchanges and made some attacks more difficult or
> impossible (since a quantum processor is not yet released). I am well aware
> that the website from which I picked up this information had been last
> updated in 2001. Moreover some 'tricks' might require time and expertise
> before leading an attack to success. But anyway, can anyone told me if
> these vulnerabilities are still open and more accuratly with Radiator ?

These vulnerabilites are inherent in the Radius protocol, which was poorly 
designed from a security point of view. To the list should be added 'password 
dictionary attacks using Cisco LEAP'.

Radiator offers an easy way to mitigate or eliminate most of these 
vulnerabilites when proxying between radius servers, by using the RadSec 
protocol to carry Radius across encrypted and mutually authenticated TCP or 
SCTP transports, see http://www.open.com.au/radiator/radsec-whitepaper.pdf


>
>
> Kind regards,
> Stéphane
>
>
> [1] http://www.untruth.org/~josh/security/radius/radius-auth.html

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list