Vulnerability in OSC Radiator EAP authentication could allow unauthenticated access

Open System Consultants (OSC)
Security Advisory OSC-SEC-2014-01

Published: December 3, 2014 10:00 am UTC | Updated: December 4, 2014 8:00 am UTC

Summary

A bug exists in Radiator Extended Authentication Protocol (EAP) implementation where a malicious client could bypass EAP method restrictions. A vulnerability caused by this bug was discovered in recent Radiator releases and requires urgent attention.

This EAP bug together with an EAP method released in Radiator 4.10 create a vulnerability which could allow a malicious EAP client to gain unauthorised access from Radiator. A successful exploitation requires specially crafted EAP client software.

The bug and the vulnerability were discovered by OSC’s development team. OSC is not aware of public use of this vulnerability.

Affected Radiator versions

  1. The vulnerability affects Radiator versions 4.9 + patches, 4.10 and up to 4.13.
  2. The EAP bug affects all Radiator versions up to 4.13.

Affected Radiator configurations

The EAP bug affects Radiator configurations which authenticate EAP messages. If your Radiator does not receive EAP messages, it is not affected.

Radiator installations proxying EAP messages are not affected if they do not also authenticate EAP messages.

Recommended action

OSC recommends upgrading to Radiator 4.14. If you cannot upgrade at this time, install backport to fix the EAP bug.

Mitigation of the vulnerability

If your Radiator version is vulnerable and you cannot upgrade or apply backports at this time, OSC recommends removing the EAP method released with Radiator 4.10 to remove the known vulnerability

Questions and Answers

What might an attacker use this vulnerability to do?

An attacker could gain access to an authenticated resource without valid credentials. The authentication method must be based on the EAP protocol. Common examples are Wi-Fi networks with WPA-Enterprise and WPA2-Enterprise authentication.

What is required to exploit this vulnerability?

The attacker needs to develop a custom EAP supplicant (client software) to send specially crafted EAP messages.

What is the difference between the vulnerability and the EAP bug?

The EAP method restriction bypass is a bug which may cause further vulnerabilities if left unfixed. OSC strongly recommends upgrading to Radiator 4.14 or installing a backport included in the Radiator 4.14 distribution package to fix the bug.

The EAP bug together with the test EAP method introduced in Radiator 4.9 + patches create the vulnerability which could be used to gain unauthorised access. OSC considers this as a vulnerability which requires urgent attention.