Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Authentication Bypass Flaw Patched in FreeRADIUS

A FreeRADIUS update released on Friday patches a potentially serious vulnerability that can be exploited to bypass authentication to the server. Developers have known about the flaw for months, but their previous fix turned out to be incomplete.

A FreeRADIUS update released on Friday patches a potentially serious vulnerability that can be exploited to bypass authentication to the server. Developers have known about the flaw for months, but their previous fix turned out to be incomplete.

FreeRADIUS is an open source implementation of RADIUS (Remote Authentication Dial-In User Service), a networking protocol for user authentication, authorization and accounting. FreeRADIUS, said to be the world’s most popular RADIUS server, is leveraged by many Fortune 500 companies and ISPs.

The security hole, tracked as CVE-2017-9148, was independently discovered by Stefan Winter of the RESTENA Foundation and Lubos Pavlicek of the University of Economics in Prague. Pavel Kankovsky noticed that the initial patch was incomplete.FreeRADIUS

The researchers discovered that the FreeRADIUS server could be convinced to allow a TLS session to resume before authentication was completed.

“The implementation of TTLS and PEAP in FreeRADIUS skips inner authentication when it handles a resumed TLS connection. This is a feature but there is a critical catch: the server must never allow resumption of a TLS session until its initial connection gets to the point where inner authentication has been finished successfully,” Kankovsky said in an advisory.

“Unfortunately, affected versions of FreeRADIUS fail to reliably prevent resumption of unauthenticated sessions unless the TLS session cache is disabled completely and allow an attacker (e.g. a malicious supplicant) to elicit EAP Success without sending any valid credentials,” he added.

Johannes Ullrich, dean of research at the SANS Technology Institute, explained that an attacker can exploit the vulnerability to authenticate to a FreeRADIUS server without valid credentials by connecting to the server, suspending the session, and then resuming it.

The issue was first reported to FreeRADIUS developers at an unknown date – likely in early 2017 – by Winter. The vulnerability was fixed in the 3.1.x and 4.0.x development branches in early February. It was also addressed in the 3.0.x branch at around the same date, but it turned out that the 3.0.x patch was incomplete.

Pavlicek independently discovered the flaw on April 24 and reported it to FreeRADIUS developers. A complete fix was developed on May 8 and rolled out to users last week with the release of version 3.0.14.

Users who cannot update to version 3.0.14 have been advised to disable TLS session caching by setting “enabled=no” in the cache section of the EAP module. Patches will not be released for unsupported versions.

A proof-of-concept (PoC) exploit has been developed, but it has not been made public. FreeRADIUS is not aware of any in-the-wild attacks exploiting this vulnerability.

Related Reading: Network Management Systems Vulnerable to SNMP-Based Attacks

Related Reading: Serious Flaws Found in Aerospike Database Server

Related Reading: Critical Flaw Patched in Jenkins Automation Server

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.