Open System Consultants (OSC)
Security Advisory OSC-SEC-2019-01. EAP-pwd related CVE IDs: CVE-2019-9497 and CVE-2019-9498.
EAP-pwd related information: https://wpa3.mathyvanhoef.com
Published: Apr 10, 2019 15:50 UTC
EAP-pwd did not properly validate received values. This allows an attacker to authenticate as any user without knowing the password. A separate vulnerability causes a crash in TLS-based modules, such as RadSec and EAP-TLS, that use policy OID checks.
All Radiator versions up to 4.23 that support EAP-pwd are affected. Radiator 4.22 is the only version affected by the policy OID related crash.
Allowed EAP methods are configured with EAPType configuration parameter. Because multiple EAP methods can be supported simultaneously, this parameter may have multiple values and be present multiple times. If your configuration has EAPType with value PWD, EAP-pwd is enabled and your configuration is vulnerable.
Stream-based modules that use TLS, such as RadSec and Diameter, may be configured with TLS_PolicyOID parameter. This parameter is typically used with RadSec. The respective parameter for EAP-TLS is EAPTLS_PolicyOID. These configuration parameters may be present multiple times in Radiator configuration. The crash is caused by a logging change in Radiator 4.22 and requires a certificate signed by a trusted CA.
OSC recommends upgrading to Radiator 4.23. The vulnerability fixes do not need configuration changes.
If you cannot upgrade at this time, consider the following mitigation options.
Review your Radiator configuration and change all instances of EAPType parameter to not include PWD. This requires that your users have alternative EAP authentication methods configured.
Some configurations may use policy OID check as an additional measure that can be temporarily disabled. In this case you may consider commenting out or removing EAPTLS_PolicyOID and TLS_PolicyOID configuration parameters. These parameters affect EAP and TLS based stream modules, such as RadSec, respectively.
EAP-pwd vulnerability may be used to gain unauthorised access. Policy OID vulnerability may be used to create a Denial of Service (DoS) attack to crash Radiator server.
EAP-pwd vulnerability requires specially crafted software. Policy OID vulnerability requires a certificate from a trusted CA with a policy OID that is not expected by target Radiator server. OSC is not aware of use of these vulnerabilities at the time of this security advisory release.
EAP-pwd implementations in general were found to be vulnerable with timing and cache based attacks. These are not addressed by changes in Radiator 4.23. Timing attacks may be addressed in a future release. Cache-Based attacks can be mitigated by not running Radiator on machines that run untrusted code. For more information about EAP-pwd vulnerabilities in general, see https://wpa3.mathyvanhoef.com
EAP-pwd vulnerability was reported by Mathy Vanhoef (New York University Abu Dhabi). Policy OID vulnerability was reported by Stefan WINTER (Réseau Téléinformatique de l'Education Nationale et de la Recherche). Thanks to Mathy and Stefan for their reports and help with these issues.