Information Security News
The mysterious group that over the past nine months has leaked millions of dollars' worth of advanced hacking tools developed by the National Security Agency said Tuesday it will release a new batch of tools to individuals who pay a $21,000 subscription fee. The plans, announced in a cryptographically signed post published Tuesday morning, are generating an intense moral dilemma for security professionals around the world.
On the one hand, the Shadow Brokers, as the person or group calls itself, has in the past released potent hacking tools into the wild, including two that were used to deliver the WCry ransomware worm that infected more than 200,000 computers in 150 countries. If the group releases similarly catastrophic exploits for Windows 10 or mainstream browsers, security professionals are arguably obligated to have access to them as soon as possible to ensure patches and exploit signatures are in place to prevent similar outbreaks. On the other hand, there's something highly unsavory and arguably unethical about whitehats paying blackhats with a track record as dark as that of the Shadow Brokers.
"It certainly creates a moral issue for me," Matthew Hickey, cofounder of security firm Hacker House, told Ars. "Endorsing criminal conduct by paying would be the wrong message to send. Equally, I think $21k is a small price to pay to avoid another WannaCry situation, and I am sure many of its victims would agree with that sentiment."
The RADIUS protocol was originally introduced to authenticate dial-up users.( Remote Authentication Dial-In User Service). While dial-upmodems are gone, RADIUS has stuck around as an all-around authentication protocol for variousnetwork devices. RADIUS itself assumes a secure connection, which was fine during dial-up days, but in modern networks, RADIUS usually relies on TLS.
Today, Stefan Winter released details about a vulnerability in FreeRADIUS, an open source implementation of the RADIUS protocol, which can be used to authenticate successfully without ever sendingvalid credentials .
TLS can resume connections.The server caches the session keys to make this possible, and if a client connects back with a known TLS session ID, the keys are retrieved from itscache and used. In itself, the features is not a big problem, and the feature is necessary to achieve optimal performance for TLS. Without being able to resume connections, the TLS handshake has to be established again.
However, the problem with FreeRADIUS is that it assumes that for resumed sessions, the inner authentication, which is the actual RADIUS authentication, already succeeded. This is not always true. A session may be interrupted, and then resumed, before the authentication succeeded.
The result is that an attacker can authenticate to a FreeRADIUS server by first connecting, then suspending and resuming the session. No credentials are necessary.
FreeRADIUS released an update. Version 3.0.14 is no longer vulnerable. If you cant patch right now, then you can also turn off TLS session caching by setting enabled=no in the cache section of the EAP module settings. The vulnerability has been assigned %%CVE:2017-9148%%.
A PoC exploit has been developed, but I have not seen it made public so far.
For details, see the original post by Stefan Winter