Jay Guillette

RSA Authentication Manager 8.x RADIUS TCP ports 1812 and 1813 HTTP Security Header Not Detected

Blog Post created by Jay Guillette Employee on Jan 9, 2020

Qualys Security scan of RSA Authentication Manager version 8.x servers will find several issues with the RADIUS Ports 1812 & 1813 TCP/UDP including following:

 - QID 11827 - RADIUS Port 1812 TCP/UDP HTTP Security Header Not Detected (HSTS)

 - QID 86763 - RADIUS Port 1812 - "WWW-Authenticate: Basic realm=" header field response using Readable Clear Text

 - QID 86476 - RADIUS Port 1813 - Unable to complete testing since the Web server stopped responding.

 - CWE-693: - Protection Mechanism Failure (https://cwe.mitre.org/data/definitions/693.html)

 

 

The fact that you get a response back from http://am-server-lab.net:1812 is of no value to a hacker because nothing else can be done, there is no method to even authenticate against this port.  The response on https is a 401, forbidden.

 

RSA Engineering Response: The flaw exists but is not exploitable (in a properly configured AM system environment). Port 1812/tcp is not accessed by users or administrators, nor do they have the credentials. It is used internally for RADIUS administration and replication between Authentication Manager servers.

 

You can demonstrate that this is not exploitable with a browser.  Test connections to the RSA Authentication Manager 8.x primary/replica(s) on both 1812 and 1813, with both http and https using a browser, in order to demonstrate no new risks. Newer browser versions or those with strict security settings might prevent these connections, so you may need to find an older version of a browser to run these tests, or possibly modify your browser security settings to allow these old connections.

    URL: http://:1812

    Result: Console Not Supported

console not supported

    URL: http://:1813

    Result:  ERR_EMPTY_RESPONSE

1813_TCP_ERR_EMPTY_RESPONSE

    URL: https://:1812

    Result: 401 forbidden

1812_TCP_https_401

    URL: https://:1813

    Result: Prompts for Sign In RADIUS credentials

1813_TCP_https_Sign_In

 

Optionally you can obtain RADIUS administrative account credentials from the encrypted Authentication Manager internal database using the rsautil command with Operations Console Credentials. To obtain the RADIUS username and password, follow the steps below:

 1. Launch an SSH client, such as PuTTY.

 2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

login as: rsaadmin

Using keyboard-interactive authentication.

Password:

Last login: Wed Jul 24 14:09:47 2019 from jumphost.vcloud.local

RSA Authentication Manager Installation Directory: /opt/rsa/am

rsaadmin@am82p:~> cd /opt/rsa/am/utils

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.radius.os.admin.username

Please enter OC Administrator username:

Please enter OC Administrator password:

    com.rsa.radius.os.admin.username: Radius_user_nsuo8rll

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.radius.os.admin.password

Please enter OC Administrator username:

Please enter OC Administrator password:

    com.rsa.radius.os.admin.password: qnWD0fvC0ASuYxYxHqLNJIggOz5enZ

rsaadmin@am82p:/opt/rsa/am/utils>

Once you have the RADIUS_user name and com.rsa.radius.os.admin.password, paste them into the text boxes, as shown:

1813_TCP_https_Sign_In_Credentials

Then you can successfully authenticate to the RADIUS console and further demonstrate no new risks are evident. But even with these credentials, you gain access to a list of RADIUS commands, but cannot see anything 'new',

1813_TCP_https_CommandList

When trying to access any of the commands listed you will get a variation of one of the following messages; not permitted, no style sheet for already known information like the RSA Username, or output from the local PC to a .nada file.

not allowed

No style sheet

1813_TCP_https_CommandList

Output from the local PC to a .nada file

SBR_Launch_NADA

RADIUS TCP port 1813 - The communication to these ports is internal. The Authentication Manager servers will connect to these ports for administration, and other SBR servers will connect for replication. There is also a connection for the initial replication during quick-setup. There are no other system or users which should connect to these ports and they can be blocked by firewalls. Port 1813/TCP as well as port 1812/TCP) should never be exposed to a public facing network. CVE-2013-2566 - The flaw exists but is not exploitable. To exploit this issue, tens of millions of packets must be captured (where all packets have the same plaintext, sensitive data in the same location). The traffic on these ports (for administration and replication) is relatively infrequent, often requiring admin intervention to start the connection and transfer. If there is more data, then more packets will be transferred with the manual operation, but the data in the packets will vary making the exploit impossible. The problem was identified with the RSA RADIUS server?s port 1813/TCP. This is an internal port for RSA RADIUS and is NOT the standard RADIUS port 1813/UDP which is used for RADIUS accounting. Also note that Juniper and RSA document that these internal ports (port 1813/TCP as well as port 1812/TCP) should never be exposed to a public facing network. CVE-2015-2808 - RC4 algorithm vulnerability, in RSA Authentication Manager 8.1 : Not Exploitable The flaw exists but is not exploitable. If a browser which requires the RC4 cipher is used for connection to the authentication manager consoles, then authentication manager is currently capable of negotiating the connection with RC4. However, the vulnerability cannot be exploited because it’s impact is greatest in the first bytes encrypted with RC4 and diminishes, with the vulnerability disappearing after 100 encrypted bytes, if not sooner. The data passed between browsers and the authentication manager does not include any sensitive data in the first 100 bytes of RC4 encrypted data. CVE-2016-2183 - Sweet32, “There is only a vulnerability if customers connect to this port. If they do not connect then an attacker cannot act as a man-in-the-middle to "poodle" the connection. Https://:1813 does not allow real access

 

Outcomes