Reset Search
 

 

Article

JSA10410 - Steel-Belted Radius EAP-FAST Authentication Succeeds with Incorrect Password

« Go Back

Information

 
Product AffectedSBR
Problem
Certain SBR products are vulnerable to a condition in which the authentication phase (Phase 1) of EAP-FAST can be bypassed. This may allow an attacker to gain unauthorized access without providing a password or token value.

This is a Pulse Secure Security Advisory released to our entitled customers on 2009-10-14 at 15:00 US/Pacific time (22:00UTC).

The affected software releases are Steel-Belted Radius Enterprise Edition, Global Enterprise Edition, and Service Provider Edition versions 5.3.x, 5.4.x, 5.5.x, 6.0.x, 6.1.x, and Windows Appliance version 5.4.x.

In every version the vulnerability is present if and only if EAP-FAST is enabled.

The defect is documented in PR 451981 and was found internally.

A workaround is available: Disable EAP-FAST by following the instructions shown below in the "Solution" section. Using EAP-GenericTokenCard in an EAP-PEAP tunnel is suggested as an alternative.

Fixed software is available for all affected versions except for SBR 5.3.x, which is no longer supported, and SBR 5.5.x, for which no patch is available. Customers are encouraged to upgrade to unaffected, fixed versions (or upgrade to a supported, affected version and apply the appropriate patch). If customers must continue to run those affected versions, they are strongly encouraged to disable EAP-FAST.

In some cases, applying the patch to SBR will prevent Odyssey Access Client (OAC) users from logging in successfully, as documented in PR 453339. Affected versions of OAC are 4.56, 4.57, 4.6x, 4.7x, 4.80.12833 and earlier, and 5.00.13531 and earlier. The Windows Mobile Edition of OAC is not affected. Upgrades for OAC are available. Note that OAC version 4.56 is the only version certified under the Common Criteria, and the fixed version, 4.58, has not yet been certified. In circumstances in which Common Criteria certification must be preferred over the fixed software, EAP-FAST should be disabled.

Note that although PPS was developed from the same code base, PPS has no support for EAP-FAST and thus is not affected by this issue.
Solution
Affected customers should choose one of the following two solutions:
  1. Apply a patch to Steel-Belted Radius by following the instructions in the attached document (available at http://alerts-int.juniper.net/AlertUpload/EAPFAST_PatchInstructions_Final.pdf). You may also need to upgrade Odyssey Access Client as discussed below.
  2. Disable EAP-FAST by setting the "Enable" variable equal to zero ("Enable=0") in the fastauth.aut configuration file. Pulse Secure suggests using EAP-GenericTokenCard in an EAP-PEAP tunnel as as replacement for EAP-FAST.

Steel-Belted Radius 5.3.x is no longer supported. If you are running that version and you have enabled EAP-FAST, you are strongly advised to either disable EAP-FAST or purchase an upgrade and install the appropriate patch.

No patch is available for Steel-Belted Radius 5.5.x. If you are running that version and you have enabled EAP-FAST, you are strongly advised to disable it.

In some cases, applying the patch to SBR prevents Odyssey Access Client users from logging in, as documented in PR 453339. This happens when a user logs in using EAP-FAST in token mode with any of the OAC versions listed on the left side of the table below. Windows Mobile Edition of OAC does not have this problem. If you are subject to this additional problem and you are running an OAC version in the list below, then you should upgrade OAC to the fixed version show in the same row:

4.56* (see note below) or 4.57: upgrade to 4.58
4.6x (included in UAC 2.0r1-r4): upgrade to 4.80.12833.0 (included in UAC 2.2r5)
4.7x (included in UAC 2.1r1-r4): upgrade to 4.80.12833.0 (included in UAC 2.2r5)
4.80.b (with b < 12833) (included in UAC 2.1r1-r4): upgrade to 4.80.12833.0 (included in UAC 2.2r5)
5.00.b (with b < 13531) (included in UAC C3.0r1-r2): upgrade to 5.00.13531.0 (included in UAC 3.0r3)

The fixed versions of OAC are available at https://www.pulsesecure.net/support/software.

* NOTE: Only OAC 4.56 has been certified under the Common Criteria. The recommended upgrade, 4.58, has not been certified. Where this is important, disabling EAP-FAST, as discussed above, may be preferable.
Workaround
Implementation
Related Links
CVSS Score
Risk AssessmentThis vulnerability allows access without authentication, but a device is affected if and only if EAP-FAST is enabled.
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelHigh
Attachment 2 
Legacy IDPSN-2009-10-552, JSA10410

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255