FreeRADIUS Bypass Flaw Patched

Tuesday, May 30, 2017 @ 06:05 PM gHale

A FreeRADIUS update released Friday patching an authentication bypass vulnerability.

Developers have known about the flaw for months, but their previous fix turned out to not seal the deal.

RCE, DoS Holes Plugged in MMPE
XP Under New Attack
Patch Tuesday Moves to Fend Off Attacks
Microsoft Malware System Hole Fixed

FreeRADIUS is an open source implementation of RADIUS (Remote Authentication Dial-In User Service), a networking protocol for user authentication, authorization and accounting.

FreeRADIUS ends up used by multiple Fortune 500 companies and ISPs.

The security hole, tracked as CVE-2017-9148, ended up independently discovered by Stefan Winter of the RESTENA Foundation and Lubos Pavlicek of the University of Economics in Prague. Pavel Kankovsky noticed the initial patch was incomplete.

The researchers discovered the FreeRADIUS server could end up convinced to allow a TLS session to resume before authentication completed.

“The implementation of TTLS and PEAP in FreeRADIUS skips inner authentication when it handles a resumed TLS connection. This is a feature but there is a critical catch: The server must never allow resumption of a TLS session until its initial connection gets to the point where inner authentication has been finished successfully,” Kankovsky said in an advisory.

“Unfortunately, affected versions of FreeRADIUS fail to reliably prevent resumption of unauthenticated sessions unless the TLS session cache is disabled completely and allow an attacker (e.g. a malicious supplicant) to elicit EAP Success without sending any valid credentials,” he said.

Johannes Ullrich, dean of research at the SANS Technology Institute, said an attacker can exploit the vulnerability to authenticate to a FreeRADIUS server without valid credentials by connecting to the server, suspending the session, and then resuming it.

The issue was first reported to FreeRADIUS developers at an unknown date by Winter. The vulnerability ended up fixed in the 3.1.x and 4.0.x development branches in early February. It was also addressed in the 3.0.x branch around the same date, but it turned out that the 3.0.x patch was incomplete.

Pavlicek independently discovered the flaw on April 24 and reported it to FreeRADIUS developers. A complete fix was developed on May 8 and rolled out to users last week with the release of version 3.0.14.

Users who cannot update to version 3.0.14 have been advised to disable TLS session caching by setting “enabled=no” in the cache section of the EAP module. Patches will not release for unsupported versions.

Leave a Reply

You must be logged in to post a comment.