Open System Consultants (OSC)
Security Advisory OSC-SEC-2015-01
Published: July 15, 2015 12:30 pm UTC
A vulnerability exists in Radiator Extended Authentication Protocol (EAP) EAP-MSCHAP-V2 and EAP-pwd implementations where a malicious EAP client could hide the real user identity after successful authentication.
This vulnerability could allow a malicious EAP client to gain unauthorised access from Radiator. A successful exploitation requires valid authentication credentials and specially crafted EAP client software.
The vulnerability was discovered by OSC’s development team. OSC is not aware of public use of this vulnerability.
The vulnerability affects Radiator versions up to 4.14.
The vulnerability affects Radiator configurations which support EAP-MSCHAP-V2 or EAP-pwd authentication. If your Radiator is not configured to support these EAP methods, it is not affected. Note: EAP-MSCHAP-V2 is commonly used together with PEAP.
Radiator installations proxying EAP messages are not affected if they do not also authenticate EAP messages.
OSC recommends upgrading to Radiator 4.15.
If you cannot upgrade at this time and are running Radiator 4.11 or later, you can upgrade EAP-MSCHAP-V2 individually as described below.
The other changes in EAP-pwd require upgrading additional Perl modules as described in the change history and simple mitigation is not possible.
The effects depend on the configuration. If the vulnerable EAP methods are used only for authentication, an attacker may be able to conceal the real identity in some of the system authentication logs. When additional authorization is done, the attacker may gain unauthorized access to the resources. Common examples of these resources are wired and Wi-Fi networks with WPA-Enterprise and WPA2-Enterprise authentication. In these networks authorization may be used, for example, for VLAN assignment. EAP-MSCHAP-V2 is commonly used together with PEAP.
The attacker needs to develop a custom EAP supplicant (client software) to send specially crafted EAP messages. The attacker must have valid credentials to authenticate to the system.