Two vulnerabilities in OSC Radiator: TLS based EAP session resumption and string formatting

Open System Consultants (OSC)
Security Advisory OSC-SEC-2015-02

Published: October 27, 2015 09:55 am UTC

Summary

A vulnerability was discovered in Radiator Extended Authentication Protocol (EAP) EAP-TLS and PEAP implementations affecting TLS session resumption. A second unrelated vulnerability in string formatting can cause a denial of service (DOS) crash or other unexpected behaviour.

The TLS session resumption vulnerability could allow a malicious EAP client to gain unauthorised access from Radiator with EAP-TLS after successful authentication. With PEAP the attacker may also gain unauthenticated access. For unauthorised access with EAP-TLS or PEAP, a successful exploitation requires valid authentication credentials and specially crafted EAP client software. Unauthenticated PEAP access also requires specially crafted EAP client sofware.

The TLS session resumption vulnerability was discovered by OSC’s development team. OSC is not aware of public use of this vulnerability. The string formatting vulnerability was discovered by Øyvind Aabling.

Affected Radiator versions

The vulnerability affects Radiator versions up to 4.15.

Affected Radiator configurations

The TLS session resumption vulnerability affects Radiator configurations which authenticate EAP-TLS and PEAP and do not have 'EAPTLS_SessionResumption' configuration parameter explicitly disabled. EAP-TTLS and EAP-FAST are not vulnerable.

The string formatting vulnerability is likely to affect most of the Radiator configurations.

Recommended action

OSC recommends upgrading to Radiator 4.16.

Mitigation

If you cannot upgrade at this time, you can disable session resumption for the TLS based EAP methods. See the reference manual 'EAPTLS_SessionResumption' configuration parameter for the details. Note: this increases resource requirements for the server.

Mitigation for the denial of string formatting vulnerability is possible with a caveat if your Radiator is 4.13 or later.

Questions and Answers

What might an attacker use these vulnerabilities for?

For the session resumption vulnerability, the effects depend on the configuration. In addition to gaining unauthenticated access with PEAP, when the vulnerable EAP methods are used only for authentication, an attacker may be able to conceal the real identity in some of the system authentication logs. When additional authorization is done, the attacker may gain unauthorized access to the resources. Common examples of these resources are wired and Wi-Fi networks with WPA-Enterprise and WPA2-Enterprise authentication. In these networks authorization may be used, for example, for VLAN assignment.

The string formatting vulnerability can cause a crash, infinite loop, memory consumption followed by crash or other unexpected behaviour.

What is required to exploit these vulnerabilities?

For TLS session resumption, the attacker needs to develop a custom EAP supplicant (client software) and actively monitor network activity locally.

Successful exploit of string format vulnerability depends on the Radiator configuration. We strongly recommend all Radiator users to upgrade to the latest Radiator version.