The following bug has been logged online:
Bug reference: 5687
Logged by: Alan DeKok
Email address: aland@freeradius.org
PostgreSQL version: 9.0.0
Operating system: All
Description: RADIUS Authentication issues
Details:
CheckRADIUSAuth() in src/backend/libpq/auth.c is subject to spoofing attacks
which can force all RADIUS authentications to fail.
The current code does (at a high level)
read packet
close socket
if (!verify packet) return STATUS_ERROR
if (success) return STATUS_OK
return STATUS_ERROR
The source IP/port/RADIUS ID && authentication vector fields are checked
*after* the socket is closed. This allows an attacker to "race" the RADIUS
server, and spoof the response, forcing PostgreSQL to treat the
authentication as failed.
The code should instead do something like:
do {
read packet
} while (! verify_packet);
close socket
if (success) return STATUS_OK
return STATUS_ERROR
The "verify packet" code could be moved to a separate function for this
purpose. For similar code, see the rad_verify() function in:
http://github.com/alandekok/freeradius-server/blob/v2.1.x/src/lib/radius.c