Two vulnerabilities in Radiator: EAP-pwd authentication bypass and DoS with certain TLS configurations

Open System Consultants (OSC)
Security Advisory OSC-SEC-2019-01. EAP-pwd related CVE IDs: CVE-2019-9497 and CVE-2019-9498.
EAP-pwd related information: https://wpa3.mathyvanhoef.com

Published: Apr 10, 2019 15:50 UTC

Summary

EAP-pwd did not properly validate received values. This allows an attacker to authenticate as any user without knowing the password. A separate vulnerability causes a crash in TLS-based modules, such as RadSec and EAP-TLS, that use policy OID checks.

Affected Radiator versions

All Radiator versions up to 4.23 that support EAP-pwd are affected. Radiator 4.22 is the only version affected by the policy OID related crash.

Affected Radiator configurations

Allowed EAP methods are configured with EAPType configuration parameter. Because multiple EAP methods can be supported simultaneously, this parameter may have multiple values and be present multiple times. If your configuration has EAPType with value PWD, EAP-pwd is enabled and your configuration is vulnerable.

Stream-based modules that use TLS, such as RadSec and Diameter, may be configured with TLS_PolicyOID parameter. This parameter is typically used with RadSec. The respective parameter for EAP-TLS is EAPTLS_PolicyOID. These configuration parameters may be present multiple times in Radiator configuration. The crash is caused by a logging change in Radiator 4.22 and requires a certificate signed by a trusted CA.

Recommended action

OSC recommends upgrading to Radiator 4.23. The vulnerability fixes do not need configuration changes.

Mitigation

If you cannot upgrade at this time, consider the following mitigation options.

EAP-pwd: Remove EAP-pwd from configuration

Review your Radiator configuration and change all instances of EAPType parameter to not include PWD. This requires that your users have alternative EAP authentication methods configured.

TLS policy OID: Remove policy OID from configuration

Some configurations may use policy OID check as an additional measure that can be temporarily disabled. In this case you may consider commenting out or removing EAPTLS_PolicyOID and TLS_PolicyOID configuration parameters. These parameters affect EAP and TLS based stream modules, such as RadSec, respectively.

Questions and answers

How can an attacker use this vulnerability?

EAP-pwd vulnerability may be used to gain unauthorised access. Policy OID vulnerability may be used to create a Denial of Service (DoS) attack to crash Radiator server.

What is required to exploit this vulnerability?

EAP-pwd vulnerability requires specially crafted software. Policy OID vulnerability requires a certificate from a trusted CA with a policy OID that is not expected by target Radiator server. OSC is not aware of use of these vulnerabilities at the time of this security advisory release.

What about EAP-pwd Timing and Cache-Based Attacks

EAP-pwd implementations in general were found to be vulnerable with timing and cache based attacks. These are not addressed by changes in Radiator 4.23. Timing attacks may be addressed in a future release. Cache-Based attacks can be mitigated by not running Radiator on machines that run untrusted code. For more information about EAP-pwd vulnerabilities in general, see https://wpa3.mathyvanhoef.com

How was this vulnerability discovered?

EAP-pwd vulnerability was reported by Mathy Vanhoef (New York University Abu Dhabi). Policy OID vulnerability was reported by Stefan WINTER (Réseau Téléinformatique de l'Education Nationale et de la Recherche). Thanks to Mathy and Stefan for their reports and help with these issues.

For more information about EAP-pwd vulnerabilities in general, see https://wpa3.mathyvanhoef.com and CVE-2019-9497 and CVE-2019-9498 and their related CVEs.