Demonstrate no increased risks in RADIUS TCP ports 1812 and 1813 reported vulnerability findings in RSA Authentication Manager 8.x
4 years ago
Originally Published: 2018-11-14
Article Number
000067171
Applies To
QID 86763 - RADIUS Port 1812 - "WWW-Authenticate: Basic realm=" header field response using Readable Clear Text can help eavesdropping and thereby compromise confidentiality. An attacker can successfully exploit this issue when the 401 error is returned when authentication is required. Also, an attacker can find out that the Basic Authentication scheme is used with the WWW-authenticate header.

QID 86476 - RADIUS Port 1813 - Qualys reporting The service was unable to complete testing for HTTP/HTTPS vulnerabilities since the web server stopped responding.

QID 11827 - Found on all RSA Authentication Manager devices impacting RADIUS Port 1812 TCP/UDP (aka HSTS missing).

CWE-693 - Protection Mechanism Failure. The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, click jacking, or MIME-type sniffing attacks.
CVE Identifier(s)
CVE-2016-2183, CVE-2015-2808, CVE-2013-2566
Article Summary
A Qualys security scan of RSA Authentication Manager servers found several issues with RADIUS ports 1812 and 1813 TCP/UDP, including the following:
  •  QID 11827 - RADIUS Port 1812 TCP/UDP HTTP Security Header Not Detected (HSTS).
  •  QID 86763 - RADIUS Port 1812 - "WWW-Authenticate: Basic realm=" header field response using Readable Clear Text.
  •  QID 86476 - RADIUS Port 1813 - Unable to complete testing since the web server stopped responding.
  •  CWE-693 - Protection Mechanism Failure (https://cwe.mitre.org/data/definitions/693.html).

These http/https browser tests that are run against any RSA Authentication Manager 8.x server can demonstrate that there is nothing to exploit on TCP ports 1812 and 1813. They can serve as a Statement or Engineering Response.
Resolution
Test connections to the RSA Authentication Manager 8.x primary and all replicas on both 1812 and 1813, with both http and https using a browser, in order to demonstrate no new risks. 

Newer browser versions or those with strict security settings might prevent these connections. You must find an older version of a browser to run these tests, or possibly modify your browser security settings to allow these old connections.

URL:  http://<am_primary>:1812                
Result:  Console Not Supported
1812_TCP_console_not_supported

URL:  http://<am_primary>:1813                
Result:  ERR_EMPTY_RESPONSE
1813_TCP_ERR_EMPTY_RESPONSE

URL:  https://<am_primary>:1812                
Result:  401 forbidden
1812_TCP_https_401

URL:  https://<am_primary>:1813 
Result:  Prompts for RADIUS sign-in credentials
 
https 1813 sign in
 
Optionally, you can obtain RADIUS administrative account credentials from the encrypted RSA Authentication Manager internal database using the rsautil command with Operations Console credentials. To obtain the RADIUS username and password, follow the steps below:
 
  1. Launch an SSH client, such as PuTTY.
  2. Log in to the primary RSA Authentication Manager server as rsaadmin and enter the operating system password.

During Quick Setup another username may have been selected. Use that username to log in.

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Jul 24 14:09:47 2019 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.radius.os.admin.username
Please enter OC Administrator username: <enter Operations Console admin user name>
Please enter OC Administrator password: <enter Operations Console admin password>
com.rsa.radius.os.admin.username: Radius_user_nsuo8rll
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.radius.os.admin.password
Please enter OC Administrator username: <enter Operations Console admin user name>
Please enter OC Administrator password: <enter Operations Console admin password>
com.rsa.radius.os.admin.password: qnWD0fvC0ASuYxYxHqLNJIggOz5enZ
rsaadmin@am82p:/opt/rsa/am/utils>
  1.   Once you have the RADIUS_user name and com.rsa.radius.os.admin.password, paste them into the text boxes, as shown:
User-added image
 
  1. Then you can successfully authenticate to the RADIUS console and further demonstrate no new risks are evident. Even with these credentials, you gain access to a list of RADIUS commands, but cannot see anything new. 
1813_TCP_https_CommandList
 
When trying to access any of the commands listed, you will get a variation of one of the following messages: not permitted, no style sheet for already known information like the RSA username, or output from the local PC to a .nada file.
1813_TCP_https_system-config_Not_Permitted
  • No style sheet
1813_TCP_https_Radius_User_No_style_sheet
  • Output from the local PC to a .nada file
SBR_Launch_NADA
Notes
RADIUS TCP port 1813 - The communication to these ports is internal. The RSA Authentication Manager servers will connect to these ports for administration, and other SBR servers will connect for replication. There is also a connection for the initial replication during quick-setup. There is no other system or other users which should connect to these ports and they can be blocked by firewalls. Port 1813/TCP, and port 1812/TCP), should never be exposed to a public facing network.

CVE-2013-2566 - The flaw exists but is not exploitable. Tens of millions of packets must be captured (where all packets have the same plaintext, sensitive data in the same location) in order to exploit this issue. The traffic on these ports (for administration and replication) is relatively infrequent, often requiring admin intervention to start the connection and transfer. If there is more data, then more packets will be transferred with the manual operation, but the data in the packets will vary making the exploit impossible. The problem was identified with RSA RADIUS server port 1813/TCP. This is an internal port for RSA RADIUS and is NOT the standard RADIUS port 1813/UDP which is used for RADIUS accounting. Juniper and RSA document that these internal ports (port 1813/TCP and port 1812/TCP) should never be exposed to a public facing network.

CVE-2015-2808 - RC4 algorithm vulnerability, in RSA Authentication Manager 8.1: Not Exploitable 
The flaw exists but is not exploitable. If a browser which requires the RC4 cipher is used for connection to the RSA Authentication Manager consoles, then RSA Authentication Manager is capable of negotiating the connection with RC4. However, the vulnerability cannot be exploited because it is impact is greatest in the first bytes encrypted with RC4 and diminishes, with the vulnerability disappearing after 100 encrypted bytes, if not sooner. The data that is passed between browsers and the RSA Authentication Manager does not include any sensitive data in the first 100 bytes of RC4 encrypted data. 

CVE-2016-2183 - Sweet32, “There is only a vulnerability if customers connect to this port. If they do not connect, then an attacker cannot act as a man-in-the-middle to "poodle" the connection. Https://<am_server>:1813 does not allow real access.
Disclaimer
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Related Articles

Trending Articles

Don't see what you're looking for?