The RADIUS protocol was originally introduced to authenticate dial-up users.( Remote Authentication Dial-In User Service). While dial-upmodems are gone, RADIUS has stuck around as an all-around authentication protocol for variousnetwork devices. RADIUS itself assumes a secure connection, which was fine during dial-up days, but in modern networks, RADIUS usually relies on TLS.
Today, Stefan Winter released details about a vulnerability in FreeRADIUS, an open source implementation of the RADIUS protocol, which can be used to authenticate successfully without ever sendingvalid credentials .
TLS can resume connections.The server caches the session keys to make this possible, and if a client connects back with a known TLS session ID, the keys are retrieved from itscache and used. In itself, the features is not a big problem, and the feature is necessary to achieve optimal performance for TLS. Without being able to resume connections, the TLS handshake has to be established again.
However, the problem with FreeRADIUS is that it assumes that for resumed sessions, the inner authentication, which is the actual RADIUS authentication, already succeeded. This is not always true. A session may be interrupted, and then resumed, before the authentication succeeded.
The result is that an attacker can authenticate to a FreeRADIUS server by first connecting, then suspending and resuming the session. No credentials are necessary.
FreeRADIUS released an update. Version 3.0.14 is no longer vulnerable. If you cant patch right now, then you can also turn off TLS session caching by setting enabled=no in the cache section of the EAP module settings. The vulnerability has been assigned %%CVE:2017-9148%%.
A PoC exploit has been developed, but I have not seen it made public so far.
For details, see the original post by Stefan Winter
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.