Skip site navigation (1) Skip section navigation (2)

BUG #5687: RADIUS Authentication issues

From: "Alan DeKok" <aland(at)freeradius(dot)org>
To: pgsql-bugs(at)postgresql(dot)org
Subject: BUG #5687: RADIUS Authentication issues
Date: 2010-09-30 16:07:51
Message-ID: 201009301607.o8UG7pXu014878@wwwmaster.postgresql.org (view raw or flat)
Thread:
Lists: pgsql-bugs
The following bug has been logged online:

Bug reference:      5687
Logged by:          Alan DeKok
Email address:      aland(at)freeradius(dot)org
PostgreSQL version: 9.0.0
Operating system:   All
Description:        RADIUS Authentication issues
Details: 

CheckRADIUSAuth() in src/backend/libpq/auth.c is subject to spoofing attacks
which can force all RADIUS authentications to fail.

The current code does (at a high level)

  read packet
  close socket
  if (!verify packet) return STATUS_ERROR
  if (success) return STATUS_OK
  return STATUS_ERROR

The source IP/port/RADIUS ID && authentication vector fields are checked
*after* the socket is closed.  This allows an attacker to "race" the RADIUS
server, and spoof the response, forcing PostgreSQL to treat the
authentication as failed.

The code should instead do something like:

   do {
       read packet
   } while (! verify_packet);

  close socket
  if (success) return STATUS_OK
  return STATUS_ERROR

The "verify packet" code could be moved to a separate function for this
purpose.  For similar code, see the rad_verify() function in:

http://github.com/alandekok/freeradius-server/blob/v2.1.x/src/lib/radius.c

Responses

pgsql-bugs by date

Next:From: Dave PageDate: 2010-09-30 17:22:18
Subject: Re: BUG #5685: Installer Error
Previous:From: Craig RingerDate: 2010-09-30 14:08:27
Subject: Re: [BUGS] Mapping Hibernate boolean to smallint(Postgresql)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group