When using a Radius authentication server in a realm configured with the "Do Not Proxy" option, an unauthenticated user may bypass the authentication step of the PPS login process. A bug in the affected PPS firmware allows a new Radius Access-Request packet to be sent to the backend Radius server with some Radius attributes containing values that duplicate the values in a previously authenticated Access-Request packet. This duplication of fields in the new Access-Request allows the Radius server to treat the new Access-Request as a duplicate of the previous Access-Request. In this case, the Radius server could return an Access-Accept message to the PPS without validating the credentials in the new Access-Request. Thus, a user might be authenticated by the PPS without the backend Radius server authenticating that user’s credentials. |