Developers behind FreeRADIUS, an open source implementation of the 26-year-old RADIUS networking protocol, are encouraging users to update to address an authentication bypass found in the server.
While FreeRADIUS is usually run on Linux systems, it can be configured to run on Windows machines. The open source implementation helps facilitate RADIUS a/k/a Remote Authentication Dial-In User Service. The protocol allows remote access servers to communicate with a central server to connect and authenticate dial-in users. Over the last couple of years, the protocol has been largely dependent on TLS, paired with EAP, the Extensible Authentication Protocol, for security.
May 30, 2017 , 11:47 am
May 26, 2017 , 12:00 pm
May 26, 2017 , 11:00 am
The vulnerability stems from the way FreeRADIUS’ TLS session cache behaves. In older versions of the server – versions prior to 3.0.14 – it failed to reliably prevent resumption of an unauthenticated session.
That meant an attacker could effectively authenticate to a FreeRADIUS server without credentials by connecting, suspending, and resuming the session. Technically, the vulnerability afforded an attacker the ability to bypass authentication via the PEAP or TTLS protocols, according to MITRE, which published information on the flaw, CVE-2017-9148, on Monday.
The fact that both TTLS and PEAP are configured to skip inner authentication isn’t the vulnerability here because it’s actually a feature that helps enhance performance for TLS. Because the server caches session keys, a client can connect back with a known TLS session ID, which can retrieve keys from its cache.
According to Johannes Ullrich, dean of research at the SANS Institute, the problem is that the server shouldn’t allow these TLS sessions to resume. Ullrich published a brief post on the SANS Handler’s Diary discussing the vulnerability Tuesday.
“The problem with FreeRADIUS is that it assumes that for resumed sessions, the ‘inner authentication,’ which is the actual RADIUS authentication, already succeeded,” Ullrich wrote, “This is not always true. A session may be interrupted, and then resumed, before the authentication succeeded.”
Without patching the only other way to mitigate the vulnerability would be to disable TLS session caching completely. According to a vulnerability notification published by FreeRADIUS, users can do that by setting enabled to “no” in the cache subsection of EAP module settings (raddb/mods-enabled/eap in the standard v3.0.x-style layout).
According to a notification published by FreeRADIUS all versions of FreeRADIUS that use EAP methods based on EAP-TLS are vulnerable. In particular all stable versions (3.0.x) before 3.0.14, all end-of-life versions of 2.2.x, and all development versions (3.1.x and 4.0.x) released before February 4, 2017 are considered affected.
Versions 1.0.x, 1.1.x, 2.0.x, 2.1.x, and 2.2.x of the protocol will not receive updates since they’re old and unsupoorted, FreeRADIUS added.
Stefan Winter of the RESTENA Foundation – an organization that manages the .lu ccTLD for Luxembourg, discovered the vulnerability and reported it several months ago but an attempt to fix it wasn’t made in earnest until February.
The flaw was thought to be fixed in the v3.1.x and v4.0.x branches released in February but it resurfaced. Pavel Kankovsky rediscovered the same vulnerability in version 3.0.13 of FreeRADIUS, and a proof of concept exploit was developed in late April.
The FreeRADIUS team committed fixes for Kankovsky’s findings earlier this month, and finally released 3.0.14, believed to resolve the vulnerability, on Friday.