A FreeRADIUS update released on Friday patches a potentially serious vulnerability that can be exploited to bypass authentication to the server. Developers have known about the flaw for months, but their previous fix turned out to be incomplete.
FreeRADIUS is an open source implementation of RADIUS (Remote Authentication Dial-In User Service), a networking protocol for user authentication, authorization and accounting. FreeRADIUS, said to be the world’s most popular RADIUS server, is leveraged by many Fortune 500 companies and ISPs.
The security hole, tracked as CVE-2017-9148, was independently discovered by Stefan Winter of the RESTENA Foundation and Lubos Pavlicek of the University of Economics in Prague. Pavel Kankovsky noticed that the initial patch was incomplete.
The researchers discovered that the FreeRADIUS server could be convinced to allow a TLS session to resume before authentication was completed.
“The implementation of TTLS and PEAP in FreeRADIUS skips inner authentication when it handles a resumed TLS connection. This is a feature but there is a critical catch: the server must never allow resumption of a TLS session until its initial connection gets to the point where inner authentication has been finished successfully,” Kankovsky said in an advisory.
“Unfortunately, affected versions of FreeRADIUS fail to reliably prevent resumption of unauthenticated sessions unless the TLS session cache is disabled completely and allow an attacker (e.g. a malicious supplicant) to elicit EAP Success without sending any valid credentials,” he added.
Johannes Ullrich, dean of research at the SANS Technology Institute, explained that an attacker can exploit the vulnerability to authenticate to a FreeRADIUS server without valid credentials by connecting to the server, suspending the session, and then resuming it.
The issue was first reported to FreeRADIUS developers at an unknown date – likely in early 2017 – by Winter. The vulnerability was fixed in the 3.1.x and 4.0.x development branches in early February. It was also addressed in the 3.0.x branch at around the same date, but it turned out that the 3.0.x patch was incomplete.
Pavlicek independently discovered the flaw on April 24 and reported it to FreeRADIUS developers. A complete fix was developed on May 8 and rolled out to users last week with the release of version 3.0.14.
Users who cannot update to version 3.0.14 have been advised to disable TLS session caching by setting “enabled=no” in the cache section of the EAP module. Patches will not be released for unsupported versions.
A proof-of-concept (PoC) exploit has been developed, but it has not been made public. FreeRADIUS is not aware of any in-the-wild attacks exploiting this vulnerability.
Related Reading: Network Management Systems Vulnerable to SNMP-Based Attacks
Related Reading: Serious Flaws Found in Aerospike Database Server
Related Reading: Critical Flaw Patched in Jenkins Automation Server