freeradius: VU#871675: Authentication bypass in EAP-PWD (CVE-2019-11234 CVE-2019-11235)

Debian Bug report logs - #926958
freeradius: VU#871675: Authentication bypass in EAP-PWD (CVE-2019-11234 CVE-2019-11235)

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: VU#871675: Authentication bypass in EAP-PWD

Date: Fri, 12 Apr 2019 19:55:29 +0200

Package: src:freeradius
Severity: important
Tags: security

3.0.19 has been released adressing some issues in EAP-PWD. The VU#
linked in the original advisory is not (yet?) accessible and I haven't
found a CVE for it.

Since FreeRADIUS is orphaned I'll look at doing an NMU when I find some
time, but likely not before early next week.


https://freeradius.org/security/

2019.04.10Authentication bypass in EAP-PWD

The EAP-PWD module is vulnerable to multiple issues, including
authentication bypass. This module is not enabled in the default
configuration. Administrators must manually enable it for their server
to be vulnerable. Version 3.0.0 through 3.0.18 are are affected.

The EAP-PWD module is vulnerable to side-channel and cache-based
attacks. The issue is discussed in more in Hostap 2019-2. The attack
requires the attacker to be able to run a program on the target device.
This is not commonly the case on an authentication server (EAP server),
so the most likely target for this would be a client device using
EAP-PWD. It is not clear at this time if the attack is possible between
multiple virtual machines on the same hardware.

Other issues with EAP-PWD were found earlier, and patched in Hostap. The
FreeRADIUS team was not notified of these attacks until recently. We
have now patched FreeRADIUS to address these issues.

Additional issues were found by Mathy Vanhoef as part of a deep
investigation into EAP-PWD. He also supplied patches to address the
issues. His report is included below. This issue is recorded in
VU#871675

We have released version 3.0.19 to address these issues.

Message #20 received at 926958@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bernhard Schmidt <berni@debian.org>, 926958@bugs.debian.org

Subject: Re: Bug#926958: VU#871675: Authentication bypass in EAP-PWD

Date: Tue, 16 Apr 2019 08:22:14 +0200

Control: retitle -1 freeradius: VU#871675: Authentication bypass in EAP-PWD (CVE-2019-11234 CVE-2019-11235)

Hi

There are two CVEs assigned for freeradius related to VU#871675.

Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1695783 and
https://bugzilla.redhat.com/show_bug.cgi?id=1695748 for details.

Regards,
Salvatore

Message #29 received at 926958-close@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: 926958-close@bugs.debian.org

Subject: Bug#926958: fixed in freeradius 3.0.17+dfsg-1.1

Date: Mon, 22 Apr 2019 22:04:40 +0000

Source: freeradius
Source-Version: 3.0.17+dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated freeradius package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 22 Apr 2019 23:23:36 +0200
Source: freeradius
Architecture: source
Version: 3.0.17+dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian FreeRADIUS Packaging Team <pkg-freeradius-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Closes: 926958
Changes:
 freeradius (3.0.17+dfsg-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Cherry-Pick upstream commits to fix CVE-2019-11234 / CVE-2019-11235 /
     VU#871675 (Invalid Curve Attack and Reflection Attack on EAP-PWD, leading
     to authentication bypass) (Closes: #926958)
Checksums-Sha1:
 6dc2174ea6db4fadd7fd8bcfce44d2e9e109cf31 3818 freeradius_3.0.17+dfsg-1.1.dsc
 96316f800b19d9fefa163a29bfcf451ae5ceaea5 63832 freeradius_3.0.17+dfsg-1.1.debian.tar.xz
 2b9c90ca043f46c04ae942efd408330676fe5ada 19233 freeradius_3.0.17+dfsg-1.1_amd64.buildinfo
Checksums-Sha256:
 e25c2c7483328e3b2b6bf01188493ac60d6ba1790a7f119a33427876636e0943 3818 freeradius_3.0.17+dfsg-1.1.dsc
 70c32f02cf7878b03b748825eb1c4b625e1935c93fbc9a7ad6550b5bc0d0f273 63832 freeradius_3.0.17+dfsg-1.1.debian.tar.xz
 e287282ba2ab945fdf06c6280549370b733b3c9ff1d64fec6f251e52f6bc80e8 19233 freeradius_3.0.17+dfsg-1.1_amd64.buildinfo
Files:
 d9c1e5636ebbbe0d8612dfc3716a8ad5 3818 net optional freeradius_3.0.17+dfsg-1.1.dsc
 e69edc14d18672215c22fe13408caba2 63832 net optional freeradius_3.0.17+dfsg-1.1.debian.tar.xz
 56ef52b0d1de4d7ab9058efbb8cba26c 19233 net optional freeradius_3.0.17+dfsg-1.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAly+NPsRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJNqJw//dHovzbcYPfGsY3lu7M4/PJVuL9HATPhq
5h4nneqwXrJyai+farBlALuDrEYmKE5VLb/lzn0ozfdqozGD0gJY9WnQ5NV9pTkS
GtTHNIfCLgScsIbohsIgl7cdagsgaK7dG4ALts5glGkNKHeZkfJy2xh8Oz/XTCNO
6uq23TRSH2MFw1X8t5zPd2KyRVANTnIRW3LmZwO13aiw/l7MibMyB3OIjTNkYpfE
mI1l18RUm9N5v2GnougnvpSMOtUgkKLzqGhezeEcqXtAHtu7R+gndtExArT0gOtX
OedYg8dcnLPOIZJDi/fr3/gUBgvVTEX7QJCQFfWQjWCI4xdppo9Ls1drtoxNRFxG
78MIJU9RBG1GMRe8KrGZbnrb9sGE94uzw8UCA8LnYEdp2ig+qVeGIVkHmOwEsKK3
eMSO67LumesMrBh6HwHpHX0pcYaFgljMVYGJCew8G8Z6wc5ZL4wacPWKYfqHTkSP
LKuROl85xVoK3hsHtdzZi0kYMlxlSMow5G7lbUqqUzghYamKHOjkFeA7csk2GP05
8JGhQdF9f5mTtkVJthPODy/ER291jZqAjzhAFhU0Ss6JGTp7LCgytTokELR2PxFi
I3+maCIzrW9ubWHKJDztHOR6w30JMnvvg20p8ffghMGIQGaoBjEvuEKArt8BODhJ
HdhdLVjHB6A=
=kiDm
-----END PGP SIGNATURE-----

Message #34 received at 926958@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: team@security.debian.org, 926958@bugs.debian.org

Subject: Proposed security upload for FreeRADIUS

Date: Wed, 24 Apr 2019 17:42:31 +0200

[Message part 1 (text/plain, inline)]

Hi,

I've gained access to the FreeRADIUS salsa repo and have pushed a new
debian/stretch branch containing last years security upload and the
cherry-picked fixes for #926958

It applies and builds cleanly, I'm currently waiting for a colleague who
runs our Radius proxies to test it.

debdiff attached.

Best Regards,
Bernhard

[freeradius.diff (text/x-patch, attachment)]

Message #39 received at 926958@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: team@security.debian.org, 926958@bugs.debian.org

Subject: Re: Bug#926958: Proposed security upload for FreeRADIUS

Date: Wed, 24 Apr 2019 17:47:28 +0200

Am 24.04.19 um 17:42 schrieb Bernhard Schmidt:

> I've gained access to the FreeRADIUS salsa repo and have pushed a new
> debian/stretch branch containing last years security upload and the
> cherry-picked fixes for #926958

And by the way, it should not be affecting Jessie, as EAP-PWD has only
been introduced in FreeRADIUS 3.0.0

Not sure who is responsible to update the security tracker for LTS.

Bernhard

Message #44 received at 926958@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bernhard Schmidt <berni@debian.org>

Cc: team@security.debian.org, 926958@bugs.debian.org

Subject: Re: Proposed security upload for FreeRADIUS

Date: Wed, 24 Apr 2019 21:23:16 +0200

Hi Berni,

On Wed, Apr 24, 2019 at 05:42:31PM +0200, Bernhard Schmidt wrote:
> Hi,
> 
> I've gained access to the FreeRADIUS salsa repo and have pushed a new
> debian/stretch branch containing last years security upload and the
> cherry-picked fixes for #926958
> 
> It applies and builds cleanly, I'm currently waiting for a colleague who
> runs our Radius proxies to test it.

Looking closer now again at the issue, if I understand correctly, the
module would not be enabled by default and to exploit the issue one
would actually as well need to have access to the authentication
server.

Unless I miss something in the picture, I would say this could be
fixed via the next point release for stretch, and does not warrant a
DSA on its own.

Do I miss something?

Regards,
Salvatore

Message #49 received at 926958@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 926958@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#926958: Proposed security upload for FreeRADIUS

Date: Wed, 24 Apr 2019 23:19:02 +0200

Am 24.04.19 um 21:23 schrieb Salvatore Bonaccorso:

Hi Salvatore,

>> I've gained access to the FreeRADIUS salsa repo and have pushed a new
>> debian/stretch branch containing last years security upload and the
>> cherry-picked fixes for #926958
>>
>> It applies and builds cleanly, I'm currently waiting for a colleague who
>> runs our Radius proxies to test it.
> 
> Looking closer now again at the issue, if I understand correctly, the
> module would not be enabled by default and to exploit the issue one
> would actually as well need to have access to the authentication
> server.

It's not enabled by default, that's correct. I think universities are
pushing for it because it is a secure-with-default configuration to
authenticate eduroam users, compared to EAP-TTLS or MSCHAPv2 where
security relies on a proper TLS verification no user is configuring
manually.

I have no idea whatsoever about the inner workings of the EAP-PWD
algorithm and I don't even try to understand EC cryptography, but as far
as I understand both FreeRADIUS CVEs are not about timing attacks, but
missing validation of user-supplied parameters.

---
Implementation-Specific Flaws

While investigating 4 different EAP-pwd implementations, we discovered
that all 4 were vulnerable to invalid curve and reflection attacks.
Although these are implementation-specific flaws, this indicates both
vulnerabilities might be present in other implementations of EAP-pwd as
well. We therefore recommend to audit EAP-pwd implementations for these
two vulnerabilities.
Invalid Curve Attack

The first implementation-specific vulnerability is an invalid curve
attack, and would allow an attacker to authenticate as any user (without
knowing the password). The problem is that on the reception of an
EAP-PWD Commit frame, a vulnerable EAP-pwd implementation does not
verify whether the received elliptic curve point is valid. To fix this
vulnerability, it must be checked that the received point is on the
elliptic curve, and that it is not the point at infinity (e.g. using the
function EC_POINT_is_on_curve and EC_POINT_is_at_infinity).
Additionally, EAP-pwd implementations must check that the received
scalar s is within the range 1 < s < r, where r is the order of the
elliptic curve being used. If the scalar is not within this range, or
the curve point is not valid, the handshake should be aborted.

An adversary can exploit the above vulnerability by sending a scalar
equal to zero (or equal to the order of the elliptic curve), and by
sending a specially crafted (invalid) elliptic curve point. This
combination causes the negotiated session key to have a very small range
of possible values. The adversary can then test each possible key until
the correct session key is found. We successfully confirmed this attack
against both vulnerable client-side and server-side implementations.
Reflection Attack

The second implementation-specific vulnerability might allow “fake”
authentications. More precisely, an attacker can reflect the received
scalar and element (i.e. elliptic curve point) that was sent by the
server, in its own commit message, and subsequently reflect the confirm
value as well. This causes the adversary to successfully authenticate as
the victim. Fortunately, the adversary will not learn the negotiated
session key, meaning the adversary cannot actually perform any actions
as the victim.

This vulnerability can be patched by comparing the received scalar and
curve point to the one generated by the server (i.e. by comparing it to
the element and scalar that was sent to the client). If either of them
are the same, the handshake should be aborted.

We successfully tested this attack against vulnerable client-side
implementations of EAP-pwd.
---

I think the timing-based attack was the one in src:wpa (Dragonblood)
CVE-2019-9494, CVE-2019-9495

The two redhat bug tracker entries you linked say

CVE-2019-11234 freeradius: eap-pwd: fake authentication using reflection

A vulnerability was found in FreeRadius. An attacker can reflect the
received scalar and element from the server in it's own commit message,
and subsequently reflect the confirm value as well. This causes the
adversary to successfully authenticate as the victim. Fortunately, the
adversary will not posses the negotiated session key, meaning the
adversary cannot actually perform any actions as this user.


CVE-2019-11235 freeradius: eap-pwd: authentication bypass via an invalid
curve attack

A vulnerability was found in FreeRadius. An invalid curve attack allows
an attacker to authenticate as any user (without knowing the password).
The problem is that on the reception of an EAP-PWD Commit frame,
FreeRADIUS doesn't verify whether the received elliptic curve point is
valid.

> Unless I miss something in the picture, I would say this could be
> fixed via the next point release for stretch, and does not warrant a
> DSA on its own.
> 
> Do I miss something?

I'm fine with that as well, I'm not keen on doing a security nmu I don't
really understand. Letting it cool down in -proposed might be a good
idea. Let me know how to proceed.

Best Regards,
Bernhard

Send a report that this bug log contains spam.