[RADIATOR] OSC Security advisory OSC-SEC-2014-01: Vulnerability in OSC Radiator EAP authentication could allow unauthenticated access

[Heikki Vatiainen]

For HTML version, please see:
https://www.open.com.au/OSC-SEC-2014-01.html

Open System Consultants (OSC)
Security Advisory OSC-SEC-2014-01
Vulnerability in OSC Radiator EAP authentication could allow 
unauthenticated access

Published: December 3, 2014 10:00 am UTC | Updated December 4, 2014 8:00 
am UTC

Summary
++++++
A bug exists in Radiator Extended Authentication Protocol (EAP)
implementation where a malicious client could bypass EAP method
restrictions. A vulnerability caused by this bug was discovered in
recent Radiator releases and requires urgent attention.

This EAP bug together with an EAP method released in Radiator 4.10
create a vulnerability which could allow a malicious EAP client to
gain unauthorised access from Radiator. A successful exploitation
requires specially crafted EAP client software.

The bug and the vulnerability were discovered by OSC's development
team. OSC is not aware of public use of this vulnerability.


Affected Radiator versions
+++++++++++++++++
1. The vulnerability affects Radiator versions 4.9 + patches, 4.10 and 
up to 4.13.
2. The EAP bug affects all Radiator versions up to 4.13.


Affected Radiator configurations
+++++++++++++++++++++
The EAP bug affects Radiator configurations which authenticate EAP
messages. If your Radiator does not receive EAP messages, it is not
affected.

Radiator installations proxying EAP messages are not affected if they
do not also authenticate EAP messages.


Recommended action
++++++++++++++
OSC recommends upgrading to Radiator 4.14. If you cannot upgrade at
this time, install backport to fix the EAP bug.


* Download and upgrade to Radiator 4.14, or
* Download Radiator 4.14, unpack the distribution package and install 
backport from goodies/Radiator-4.14-EAP-backport/ directory. OSC has 
created backports with release notes for previous Radiator releases
* Restart Radiator after the upgrade or backport installation


Mitigation of the vulnerability
+++++++++++++++++++
If your Radiator version is vulnerable and you cannot upgrade or apply
backports at this time, OSC recommends removing the EAP method
released with Radiator 4.10 to remove the known vulnerability

* If you run Radiator release 4.9 with patches, 4.10 or later up to 
4.13, locate any instances of a file named EAP_16776957_4244372217.pm 
and remove them.
* This file can be safely removed, since it is not needed in production 
environment
* Restart Radiator when you have removed the files.


Questions and Answers
+++++++++++++++
What might an attacker use this vulnerability to do?
An attacker could gain access to an authenticated resource without
valid credentials. The authentication method must be based on the EAP
protocol. Common examples are Wi-Fi networks with WPA-Enterprise and
WPA2-Enterprise authentication.


What is required to exploit this vulnerability?
The attacker needs to develop a custom EAP supplicant (client
software) to send specially crafted EAP messages.


What is the difference between the vulnerability and the EAP bug?
The EAP method restriction bypass is a bug which may cause further
vulnerabilities if left unfixed. OSC strongly recommends upgrading to
Radiator 4.14 or installing a backport included in the Radiator 4.14
distribution package to fix the bug.

The EAP bug together with the test EAP method introduced in Radiator
4.9 + patches create the vulnerability which could be used to gain
unauthorised access. OSC considers this as a vulnerability which
requires urgent attention.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.