Anonymous | Login | 2024-12-02 17:58 EST |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | Project | Category | View Status | Date Submitted | Last Update | |||
0001390 | PacketFence | security | public | 2012-03-02 10:28 | 2012-04-18 10:00 | |||
Reporter | obilodeau | |||||||
Assigned To | fgaudreault | |||||||
Priority | high | Severity | major | Reproducibility | always | |||
Status | closed | Resolution | fixed | |||||
Platform | OS | OS Version | ||||||
Product Version | ||||||||
Target Version | 3.3.0 | Fixed in Version | 3.3.0 | |||||
Summary | 0001390: RADIUS Identity misuse | |||||||
Description | The User-Name RADIUS attribute forwarded in PacketFence's core is not the same as the one used for authentication. This could lead in stealing higher network access privileges through identity spoofing. This is not exploitable by default as we do not rely on the User-Name for anything by default. Only users with custom VLAN assignment extension (pf::vlan::custom) and using the $user_name parameter to assign network privileges are affected. Details: Our RADIUS extension runs in RADIUS' outer-tunnel after successful authentication. Outer-tunnel identity is client-side controllable and can be different than the Inner-tunnel identity. The inner-tunnel identity is the one used to perform the authentication and only a success or failure is sent to our RADIUS extension. This possible mismatch between what is sent in the inner vs the outer is the vulnerability: I can successfully authenticate as a low-privileged user but set a high privileged user as my outer identity. The PacketFence RADIUS module is told that authentication passed and applies network access enforcement based on the outer identity (which was spoofed to the highly privileged user). Reported by Rich Graves from Carleton College. | |||||||
Tags | No tags attached. | |||||||
fixed in git revision | ||||||||
fixed in mtn revision | 3bf62dc6d344cd057285a2741f3cd9804aeaaadc | |||||||
Attached Files | ||||||||
Notes | |
(0002597) obilodeau (reporter) 2012-03-02 10:28 |
We discussed this internally and we have a fix on the way. |
(0002598) fgaudreault (viewer) 2012-03-05 10:10 |
packetfence site post-auth should look like : post-auth { exec if (!EAP-Message) { packetfence } Post-Auth-Type REJECT { attr_filter.access_reject } } This permits non-EAP to exec the perl module while in post-auth, but it won't be exec if doing EAP. In the packetfence-tunnel, post-auth should look like : post-auth { exec packetfence Post-Auth-Type REJECT { attr_filter.access_reject } } |
(0002599) fgaudreault (viewer) 2012-03-05 10:14 |
Crap, my last answer poses potential problems for devices that are doing EAP mac authentication (Juniper) :S I don't want to check the user-name since using identity privacy, you could spoof a mac address as the username. Will continue working on it. |
(0002603) fgaudreault (viewer) 2012-03-06 17:47 |
We should do in : - packetfence site: if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) { packetfence } - packetfence-tunnel: post-auth { exec packetfence Post-Auth-Type REJECT { attr_filter.access_reject } } |
(0002613) fgaudreault (viewer) 2012-03-12 13:53 |
Fixed in devel. |
(0002658) obilodeau (reporter) 2012-04-18 09:59 |
fix released in 3.3.0 last friday |
Issue History | |||
Date Modified | Username | Field | Change |
2012-03-02 10:28 | obilodeau | New Issue | |
2012-03-02 10:28 | obilodeau | Status | new => assigned |
2012-03-02 10:28 | obilodeau | Assigned To | => fgaudreault |
2012-03-02 10:28 | obilodeau | Note Added: 0002597 | |
2012-03-02 10:49 | obilodeau | Description Updated | |
2012-03-02 13:09 | obilodeau | Description Updated | |
2012-03-05 10:10 | fgaudreault | Note Added: 0002598 | |
2012-03-05 10:14 | fgaudreault | Note Added: 0002599 | |
2012-03-06 17:47 | fgaudreault | Note Added: 0002603 | |
2012-03-12 13:53 | fgaudreault | mtn revision | => 3bf62dc6d344cd057285a2741f3cd9804aeaaadc |
2012-03-12 13:53 | fgaudreault | Note Added: 0002613 | |
2012-03-12 13:53 | fgaudreault | Status | assigned => resolved |
2012-03-12 13:53 | fgaudreault | Fixed in Version | => trunk |
2012-03-12 13:53 | fgaudreault | Resolution | open => fixed |
2012-04-18 09:49 | obilodeau | Target Version | +1 => 3.3.0 |
2012-04-18 09:50 | obilodeau | View Status | private => public |
2012-04-18 09:50 | obilodeau | Fixed in Version | trunk => 3.3.0 |
2012-04-18 09:59 | obilodeau | Note Added: 0002658 | |
2012-04-18 10:00 | obilodeau | Status | resolved => closed |
Copyright © 2000 - 2012 MantisBT Group |