1 min read

FreeRADIUS Authentication Bug Allows for Remote Server Control

Liviu ARSENE

May 31, 2017

Promo Protect all your devices, without slowing them down.
Free 30-day trial
FreeRADIUS Authentication Bug Allows for Remote Server Control

A vulnerability in the open source networking protocol used for authentication by FreeRADIUS could allow an attacker to remotely dial in to the server without sending any valid credentials.

While the vulnerability has been patched and documented as CVE-2017-9148, because FreeRADIUS is still a popular RADIUS server in use even by major ISPs and companies, it could have had serious consequences if exploited in-the-wild. The vulnerabilities could allow an attacker to resume a TLS session even if authentication is not completed.

“The RADIUS protocol was originally introduced to authenticate dial-up users.( “Remote Authentication Dial-In User Service). While dial-up modems are gone, RADIUS has stuck around as an all-around authentication protocol for various network devices,” wrote Johannes Ullrich, SANS Technology Institute dean of research. “RADIUS itself assumes a secure connection, which was fine during dial-up days, but in modern networks, RADIUS usually relies on TLS.”

Although the vulnerability was known and believed to have been previously patched, Stefan Winter of the RESTENA Foundation and Lubos Pavlicek of the University of Economics in Prague developed a proof-of-concept (publicly unavailable) that pointed out the vulnerability is still present.

“The implementation of TTLS and PEAP in FreeRADIUS skips inner authentication when it handles a resumed TLS connection,” reads the advisory. “This is a feature but there is a critical catch: the server must never allow resumption of a TLS session until its initial connection gets to the point where inner authentication has been finished successfully. “Unfortunately, affected versions of FreeRADIUS fail to reliably prevent resumption of unauthenticated sessions unless the TLS session cache is disabled completely and allow an attacker (e.g. a malicious supplicant) to elicit EAP Success without sending any valid credentials.”

The new fix has been available since May 8 and it”s included in the 3.0.14 release of FreeRADIUS. While everyone is encouraged to install the latest fix, mitigation is also possible by disabling the TLS session caching. No known attacks leverage this vulnerability, according to FreeRADIUS.

tags


Author


Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past few years.

View all posts

You might also like

Bookmarks


loader