Last Updated: 2017-05-30 11:43:26 UTC
by Johannes Ullrich (Version: 1)
The RADIUS protocol was originally introduced to authenticate dial-up users.( "Remote Authentication Dial-In User Service). While dial-up modems are gone, RADIUS has stuck around as an all-around authentication protocol for various network devices. RADIUS itself assumes a secure connection, which was fine during dial-up days, but in modern networks, RADIUS usually relies on TLS.
Today, Stefan Winter released details about a vulnerability in FreeRADIUS, an open source implementation of the RADIUS protocol, which can be used to authenticate successfully without ever sending valid credentials .
TLS can "resume connections." The server caches the session keys to make this possible, and if a client connects back with a known TLS session ID, the keys are retrieved from its cache and used. In itself, the features is not a big problem, and the feature is necessary to achieve optimal performance for TLS. Without being able to resume connections, the TLS handshake has to be established again.
However, the problem with FreeRADIUS is that it assumes that for resumed sessions, the "inner authentication," which is the actual RADIUS authentication, already succeeded. This is not always true. A session may be interrupted, and then resumed, before the authentication succeeded.
The result is that an attacker can authenticate to a FreeRADIUS server by first connecting, then suspending and resuming the session. No credentials are necessary.
FreeRADIUS released an update. Version 3.0.14 is no longer vulnerable. If you can't patch right now, then you can also turn off TLS session caching by setting "enabled=no" in the cache section of the EAP module settings. The vulnerability has been assigned CVE-2017-9148.
A PoC exploit has been developed, but I have not seen it made public so far.
For details, see the original post by Stefan Winter