PacketFence - BTS - PacketFence | |||||
| View Issue Details | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001390 | PacketFence | security | public | 2012-03-02 10:28 | 2012-04-18 10:00 |
| Reporter | obilodeau | ||||
| Assigned To | fgaudreault | ||||
| Priority | high | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | OS | OS Version | |||
| Product Version | |||||
| Target Version | 3.3.0 | Fixed in Version | 3.3.0 | ||
| fixed in git revision | |||||
| fixed in mtn revision | 3bf62dc6d344cd057285a2741f3cd9804aeaaadc | ||||
| Summary | 0001390: RADIUS Identity misuse | ||||
| Description | The User-Name RADIUS attribute forwarded in PacketFence's core is not the same as the one used for authentication. This could lead in stealing higher network access privileges through identity spoofing. This is not exploitable by default as we do not rely on the User-Name for anything by default. Only users with custom VLAN assignment extension (pf::vlan::custom) and using the $user_name parameter to assign network privileges are affected. Details: Our RADIUS extension runs in RADIUS' outer-tunnel after successful authentication. Outer-tunnel identity is client-side controllable and can be different than the Inner-tunnel identity. The inner-tunnel identity is the one used to perform the authentication and only a success or failure is sent to our RADIUS extension. This possible mismatch between what is sent in the inner vs the outer is the vulnerability: I can successfully authenticate as a low-privileged user but set a high privileged user as my outer identity. The PacketFence RADIUS module is told that authentication passed and applies network access enforcement based on the outer identity (which was spoofed to the highly privileged user). Reported by Rich Graves from Carleton College. | ||||
| Steps To Reproduce | |||||
| Additional Information | |||||
| Tags | No tags attached. | ||||
| Relationships | |||||
| Attached Files | |||||
| Issue History | |||||
| Date Modified | Username | Field | Change | ||
| 2012-03-02 10:28 | obilodeau | New Issue | |||
| 2012-03-02 10:28 | obilodeau | Status | new => assigned | ||
| 2012-03-02 10:28 | obilodeau | Assigned To | => fgaudreault | ||
| 2012-03-02 10:28 | obilodeau | Note Added: 0002597 | |||
| 2012-03-02 10:49 | obilodeau | Description Updated | |||
| 2012-03-02 13:09 | obilodeau | Description Updated | |||
| 2012-03-05 10:10 | fgaudreault | Note Added: 0002598 | |||
| 2012-03-05 10:14 | fgaudreault | Note Added: 0002599 | |||
| 2012-03-06 17:47 | fgaudreault | Note Added: 0002603 | |||
| 2012-03-12 13:53 | fgaudreault | mtn revision | => 3bf62dc6d344cd057285a2741f3cd9804aeaaadc | ||
| 2012-03-12 13:53 | fgaudreault | Note Added: 0002613 | |||
| 2012-03-12 13:53 | fgaudreault | Status | assigned => resolved | ||
| 2012-03-12 13:53 | fgaudreault | Fixed in Version | => trunk | ||
| 2012-03-12 13:53 | fgaudreault | Resolution | open => fixed | ||
| 2012-04-18 09:49 | obilodeau | Target Version | +1 => 3.3.0 | ||
| 2012-04-18 09:50 | obilodeau | View Status | private => public | ||
| 2012-04-18 09:50 | obilodeau | Fixed in Version | trunk => 3.3.0 | ||
| 2012-04-18 09:59 | obilodeau | Note Added: 0002658 | |||
| 2012-04-18 10:00 | obilodeau | Status | resolved => closed | ||
| Notes | |||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||