Vulnerabilities in OSC Radiator 4.17

Open System Consultants (OSC)
Security Advisory OSC-SEC-2017-01

Published: May 10, 2017 09:35 am UTC

Summary

Vulnerabilities were discovered in SIP digest authentication, Quote special formatter, Digipass MSCHAP authentication, and AuthBy HEIMDALDIGEST.

Affected Radiator versions

These vulnerabilities affect Radiator versions up to 4.17. Quote special formatter was added in Radiator 4.3. AuthBy HEIMDALDIGEST was added in Radiator 4.11.

Affected Radiator configurations

The SIP digest authentication vulnerability affects configurations where Radiator is used to authenticate users and can receive RADIUS requests that have SIP digest authentication attributes. The other vulnerabilities affect configurations that have enabled the specified features.

Proxy configurations are affected if information about proxied requests is saved to SQL with a configuration that explicitly uses %{Quote:value} formatter. Proxy configurations that use AuthBy SQLRADIUS with Radiator 4.17 default configuration are also affected.

Case 1. Specially crafted SIP digest authentication requests could cause Radiator to allow access without valid credentials. Note: SIP digest authentication is disabled by default in Radiator 4.18. All previous Radiator versions will process SIP digest authentication RADIUS attributes.

Case 2. %{Quote:value} did not always fully quote its value. This could lead to unexpected SQL queries. This formatter is used by default only in Radiator 4.17 AuthBy SQLRADIUS configuration. Check your configuration file to see if it is affected.

Case 3. Specially crafted MSCHAP authentication request could cause AuthBy SQLDIGIPASS or AuthBy LDAPDIGIPASS to allow access without valid credentials. MSCHAPv2 is not affected.

Case 4. Heimdal authentication was communicating with kdigest with an insecure method. This could lead to multiple types of unexpected behaviour. We strongly recommend all AuthBy HEIMDALDIGEST users to upgrade to Radiator 4.18.

Recommended action

OSC recommends upgrading to Radiator 4.18.

Mitigation

If you cannot upgrade at this time, consider the following options to mitigate the different cases. There is no good mitigation method for case 4.

Case 1

Mitigate case 1 by disabling SIP digest authentication with a change in Radiator dictionary configuration. Comment out attribute Digest-Response in the Radiator default dictionary or create a custom dictionary file that renames Digest-Response. Digest-Response is the name of attribute in requests that Radiator looks for SIP digest authentication. If the attribute is not present or has a different name in dictionary, SIP digest authentication is not attempted. Here is an example of a how to create a custom dictionary and rename Digest-Response:
  1. Create file called dictionary.local in Radiator's DbDir directory. See Radiator configuration file and reference manual for more about DbDir configuration parameter.
    # dictionary.local for amending and overriding the default dictionary
    ATTRIBUTE   Digest-Response-Disabled   103   string
  2. Update DictionaryFile configuration parameter in Radiator configuration file to load the custom dictionary after the default dictionary. For example:
    DictionaryFile %D/dictionary,%D/dictionary.local
  3. Restart Radiator after the configuration change. See below for how to test the changes.

Test the dictionary changes by running radpwtst with '-trace 4 -noacct -sip' command line parameters. See that Digest-Response is not present in Radiator log requests dumps. Request dumps are enabled when Radiator configuration has 'Trace 4' (debug) log level enabled.

Case 2

If your configuration uses %{Quote:value} formatter, you may be able to mitigate by changing your configuration to use SQL bind variables as described by Radiator reference manual. If you cannot use bind variables, check if the value you are quoting with %{Quote:value} is already available as a numbered special variable, such as %0. The numbered special variables are documented with SQL queries in Radiator reference manual.

Most of the Radiator SQL queries support bind variables. Bind variables are recommended for configuring SQL queries.

Case 3

Mitigate case 3 with a dictionary change similar to case 1 above. The attribute you need to override is named MS-CHAP-Response. This disables all MSCHAP authentication. See step 4 below for how to use radpwtst to test MSCHAP requests. Here is an example of dictionary.local:
# dictionary.local for amending and overriding the default dictionary
ATTRIBUTE       Digest-Response-Disabled   103   string
VENDORATTR  311 MS-CHAP-Response-Disabled    1   binary

If your configuration uses Handlers, an alternative is a configuration change to use a Handler to select which MSCHAP autentications need to be rejected. The example below shows how to configure Radiator with a Handler that rejects all MSCHAP authentication requests.

  1. Create a Handler for MSCHAP authentication requests:
    <Handler MS-CHAP-Response=/.+/>
        <AuthBy INTERNAL>
            DefaultResult REJECT
        </AuthBy>
    </Handler>
  2. Place the Handler before any other Handlers.
  3. Restart Radiator after the configuration change.
  4. Run radpwtst with '-trace 4 -noacct -mschap' command line parameters. Verify from radpwtst output and Radiator log that MSCHAP requests are rejected by the new Handler.

Run Radiator with Trace 4 log level to see that the correct Handler is chosen for MSCHAP requests.

Questions and Answers

How can an attacker use these vulnerabilities?

The attacker may gain authenticated access, affect SQL queries that use Quote formatter, or cause unexpected behaviour on a server that has AuthBy HEIMDALDIGEST configured.

What is required to exploit these vulnerabilities?

The attacker must send specially crafted requests which depend on the above cases and server configuration.

How were these vulnerabilities discovered?

These vulnerabilities were discovered by OSC’s development team.

OSC is not aware of use of these vulnerabilities.