Knowledge Search


×
 

Juniper Security Advisory: Steel-Belted Radius EAP-FAST Authentication Succeeds with Incorrect Password

  [JSA10410] Show Article Properties


Legacy Advisory Id:
PSN-2009-10-552
Product Affected:
SBR
Problem:


Certain Juniper Networks' SBR products are vulnerable to a condition in which the authentication phase (Phase 1) of EAP-FAST can be bypassed. This may allow an attacker to gain unauthorized access without providing a password or token value.

This is a Juniper Networks Security Advisory released to our entitled customers on 2009-10-14 at 15:00 US/Pacific time (22:00UTC).

The affected software releases are Steel-Belted Radius Enterprise Edition, Global Enterprise Edition, and Service Provider Edition versions 5.3.x, 5.4.x, 5.5.x, 6.0.x, 6.1.x, and Windows Appliance version 5.4.x.

In every version the vulnerability is present if and only if EAP-FAST is enabled.

The defect is documented in PR 451981 and was found internally.

A workaround is available: Disable EAP-FAST by following the instructions shown below in the "Solution" section. Using EAP-GenericTokenCard in an EAP-PEAP tunnel is suggested as an alternative.

Fixed software is available for all affected versions except for SBR 5.3.x, which is no longer supported, and SBR 5.5.x, for which no patch is available. Customers are encouraged to upgrade to unaffected, fixed versions (or upgrade to a supported, affected version and apply the appropriate patch). If customers must continue to run those affected versions, they are strongly encouraged to disable EAP-FAST.

In some cases, applying the patch to SBR will prevent Odyssey Access Client (OAC) users from logging in successfully, as documented in PR 453339. Affected versions of OAC are 4.56, 4.57, 4.6x, 4.7x, 4.80.12833 and earlier, and 5.00.13531 and earlier. The Windows Mobile Edition of OAC is not affected. Upgrades for OAC are available. Note that OAC version 4.56 is the only version certified under the Common Criteria, and the fixed version, 4.58, has not yet been certified. In circumstances in which Common Criteria certification must be preferred over the fixed software, EAP-FAST should be disabled.

Note that although IC/UAC was developed from the same code base, IC/UAC has no support for EAP-FAST and thus is not affected by this issue. No other Juniper Networks products are affected by this issue.
Solution:


Affected customers should choose one of the following two solutions:

1. Apply a patch to Steel-Belted Radius by following the instructions in the attached document (available at http://alerts-int.juniper.net/AlertUpload/EAPFAST_PatchInstructions_Final.pdf). You may also need to upgrade Odyssey Access Client as discussed below.

OR

2. Disable EAP-FAST by setting the "Enable" variable equal to zero ("Enable=0") in the fastauth.aut configuration file. Juniper suggests using EAP-GenericTokenCard in an EAP-PEAP tunnel as as replacement for EAP-FAST.

Steel-Belted Radius 5.3.x is no longer supported. If you are running that version and you have enabled EAP-FAST, you are strongly advised to either disable EAP-FAST or purchase an upgrade and install the appropriate patch.

No patch is available for Steel-Belted Radius 5.5.x. If you are running that version and you have enabled EAP-FAST, you are strongly advised to disable it.

In some cases, applying the patch to SBR prevents Odyssey Access Client users from logging in, as documented in PR 453339. This happens when a user logs in using EAP-FAST in token mode with any of the OAC versions listed on the left side of the table below. Windows Mobile Edition of OAC does not have this problem. If you are subject to this additional problem and you are running an OAC version in the list below, then you should upgrade OAC to the fixed version show in the same row:

4.56* (see note below) or 4.57: upgrade to 4.58
4.6x (included in UAC 2.0r1-r4): upgrade to 4.80.12833.0 (included in UAC 2.2r5)
4.7x (included in UAC 2.1r1-r4): upgrade to 4.80.12833.0 (included in UAC 2.2r5)
4.80.b (with b < 12833) (included in UAC 2.1r1-r4): upgrade to 4.80.12833.0 (included in UAC 2.2r5)
5.00.b (with b < 13531) (included in UAC C3.0r1-r2): upgrade to 5.00.13531.0 (included in UAC 3.0r3)

The fixed versions of OAC are available at https://www.juniper.net/customers/support/products/aaa_802/oac_client_user.jsp.

* NOTE: Only OAC 4.56 has been certified under the Common Criteria. The recommended upgrade, 4.58, has not been certified. Where this is important, disabling EAP-FAST, as discussed above, may be preferable.
Implementation:


Deployment of fixed software varies by implementation platform. Detailed instructions are available in the attached document (available at http://alerts-int.juniper.net/AlertUpload/EAPFAST_PatchInstructions_Final.pdf).

Disclaimer: Juniper Networks is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Juniper Networks expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Juniper Networks may change this notice at any time.
Modification History:
Modification History:

2017-03-05: Category restructure.

Related Links:
Risk Level:
High
Risk Assessment:
This vulnerability allows access without authentication, but a device is affected if and only if EAP-FAST is enabled. This issue was discovered internal to Juniper by the development team and it is not believed to be known to parties outside the company. A workaround is available in lieu of installing fixed software.
Attachment File: