Vulnerability opens FreeRADIUS servers to unauthenticated attackers
A vulnerability in the free, open source FreeRADIUS server could be exploited by remote attackers to bypass authentication via PEAP or TTLS.
There is currently no indication that the flaw is being exploited in the wild, but as the existence of the flaw has been made public, the likelihood of attacks rises.
The good news is the FreeRADIUS Development Team has plugged the hole in version 3.0.14 of the FreeRADIUS suite (pushed out on Friday), and administrators are advised to upgrade their installation as soon as possible.
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.
FreeRADIUS the most widely deployed RADIUS server in the world, as it serves as a basis for many commercial RADIUS products and services. It is used widely by big companies, telecoms, ISP, and in the academic community, to manage access to the Internet and a variety of networks.
About the FreeRADIUS authentication bypass vulnerability
“The implementation of TTLS and PEAP in FreeRADIUS skips inner authentication when it handles a resumed TLS connection. This is a feature but there is a critical catch: the server must never allow resumption of a TLS session until its initial connection gets to the point where inner authentication has been finished successfully,” it is explained in the advisory.
“Unfortunately, affected versions of FreeRADIUS fail to reliably prevent resumption of unauthenticated sessions unless the TLS session cache is disabled completely and allow an attacker (e.g. a malicious supplicant) to elicit EAP Success without sending any valid credentials.”
The vulnerability, designated CVE-2017-9148, was first flagged at the beginning of the year by Stefan Winter of the RESTENA Foundation. A fix that was pushed out in February turned out to be incomplete, and the flaw was rediscovered by Luboš Pavlíček of the University of Economics, Prague, in late April. It is now finally fixed.
The problem exists in the TLS session cache, so if upgrading is impossible, admins can disable TLS session caching to temporarily mitigate the risk.
“We believe that this issue affects all versions of FreeRADIUS which use EAP methods based on EAP-TLS,” the Development Team noted.
“We remind users that versions 1.0.x, 1.1.x, 2.0.x, 2.1.x, and 2.2.x are old and unsupported. Patches for those versions will not be released, as the issue can be corrected with a minor configuration change. We also note that prior to version 3, the session cache was disabled by default, and required administrator intervention to enable it.”