Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: FreeRadius Authentication Bypass - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
FreeRadius Authentication Bypass

The RADIUS protocol was originally introduced to authenticate dial-up users.( "Remote Authentication Dial-In User Service). While dial-up modems are gone, RADIUS has stuck around as an all-around authentication protocol for various network devices. RADIUS itself assumes a secure connection, which was fine during dial-up days, but in modern networks, RADIUS usually relies on TLS. 

Today, Stefan Winter released details about a vulnerability in FreeRADIUS, an open source implementation of the RADIUS protocol, which can be used to authenticate successfully without ever sending valid credentials [1].

TLS can "resume connections." The server caches the session keys to make this possible, and if a client connects back with a known TLS session ID, the keys are retrieved from its cache and used. In itself, the features is not a big problem, and the feature is necessary to achieve optimal performance for TLS. Without being able to resume connections, the TLS handshake has to be established again.

However, the problem with FreeRADIUS is that it assumes that for resumed sessions, the "inner authentication," which is the actual RADIUS authentication, already succeeded. This is not always true. A session may be interrupted, and then resumed, before the authentication succeeded. 

The result is that an attacker can authenticate to a FreeRADIUS server by first connecting, then suspending and resuming the session. No credentials are necessary.

FreeRADIUS released an update. Version 3.0.14 is no longer vulnerable. If you can't patch right now, then you can also turn off TLS session caching by setting "enabled=no" in the cache section of the EAP module settings. The vulnerability has been assigned CVE-2017-9148.

A PoC exploit has been developed, but I have not seen it made public so far.

For details, see the original post by Stefan Winter




Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
May 30th 2017
Is this a Windows vulnerability or is it any OS that uses Freeradius?

3 Posts
This is a problem with the FreeRADIUS server, no matter what operating system it is running on. Personally, I have only seen FreeRADIUS on Linux. But Windows systems could authenticate to it. Nothing you need to do to the clients.

4479 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!