Vulnerability in OSC Radiator EAP-MSCHAPv2 and EAP-pwd could allow privilege escalation

Open System Consultants (OSC)
Security Advisory OSC-SEC-2015-01

Published: July 15, 2015 12:30 pm UTC

Summary

A vulnerability exists in Radiator Extended Authentication Protocol (EAP) EAP-MSCHAP-V2 and EAP-pwd implementations where a malicious EAP client could hide the real user identity after successful authentication.

This vulnerability could allow a malicious EAP client to gain unauthorised access from Radiator. A successful exploitation requires valid authentication credentials and specially crafted EAP client software.

The vulnerability was discovered by OSC’s development team. OSC is not aware of public use of this vulnerability.

Affected Radiator versions

The vulnerability affects Radiator versions up to 4.14.

Affected Radiator configurations

The vulnerability affects Radiator configurations which support EAP-MSCHAP-V2 or EAP-pwd authentication. If your Radiator is not configured to support these EAP methods, it is not affected. Note: EAP-MSCHAP-V2 is commonly used together with PEAP.

Radiator installations proxying EAP messages are not affected if they do not also authenticate EAP messages.

Recommended action

OSC recommends upgrading to Radiator 4.15.

Download and upgrade to Radiator 4.15
Restart Radiator after the upgrade

Mitigation

If you cannot upgrade at this time and are running Radiator 4.11 or later, you can upgrade EAP-MSCHAP-V2 individually as described below.

Download Radiator 4.15, unpack the distribution package. Replace your current Radius/EAP_26.pm with Radius/EAP_26.pm from the 4.15 distribution package
Restart Radiator after replacing the file

The other changes in EAP-pwd require upgrading additional Perl modules as described in the change history and simple mitigation is not possible.

Questions and Answers

What might an attacker use this vulnerability for?

The effects depend on the configuration. If the vulnerable EAP methods are used only for authentication, an attacker may be able to conceal the real identity in some of the system authentication logs. When additional authorization is done, the attacker may gain unauthorized access to the resources. Common examples of these resources are wired and Wi-Fi networks with WPA-Enterprise and WPA2-Enterprise authentication. In these networks authorization may be used, for example, for VLAN assignment. EAP-MSCHAP-V2 is commonly used together with PEAP.

What is required to exploit this vulnerability?

The attacker needs to develop a custom EAP supplicant (client software) to send specially crafted EAP messages. The attacker must have valid credentials to authenticate to the system.