Authentication Manager version 8.X how to demonstrate no increased risks in RADIUS TCP ports 1812 & 1813 reported vulnerability findings
Originally Published: 2018-11-09
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.X all versions
Platform: null
Platform (Other): SBR RADIUS
O/S Version: Suse Linux
Product Name: null
Product Description: null
Issue
QID 11827 - RADIUS Port 1812 TCP/UDP HTTP Security Header Not Detected (HSTS) *
QID 86763 - RADIUS Port 1812 - "WWW-Authenticate: Basic realm=" header field response using Readable Clear Text
QID 86476 - RADIUS Port 1813 - Unable to complete testing since the Web server stopped responding.
CWE-693: - Protection Mechanism Failure (https://cwe.mitre.org/data/definitions/693.html)
Need Statement or Engineering Response from RSA on these Qualys related scans findings
Note: These http and https browser tests can be run against any version of Authentication Manager that stats with the number 8, but other vulnerabilities not listed here may necessitate your updating or upgrading your AM server version for remediation
* HSTS is not supported on RADIUS or AM console traffic, but is supported on Web Tiers that allow access to applications from the Internet
https://community.rsa.com/message/906848?commentID=906848#comment-906848
Tasks
1. http://<am_primary>:1812
2. http://<am_primary>:1813
3. https://<am_primary>:1812
4. https://<am_primary>:1813
Optionally obtain RADIUS admin credentials from the encrypted RSA internal database using Operations Console Credentials to successfully authenticate to the RADIUS console
Resolution
http://<am_primary>:1812 Result -> Console Not Supported
http://<am_primary>:1813 Result -> ERR_EMPTY_RESPONSE
https://<am_primary>:1812 Result -> 401 forbidden
https://<am_primary>:1813 -> Prompts for Sign In RADIUS credentials,
Optionally you can obtain RADIUS administrative account credentials from the encrypted AM internal database using the rsautil command with Operations Console Credentials. The rsautil commands are;
/opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.radius.os.admin.username
/opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.radius.os.admin.password
Then you can successfully authenticate to the RADIUS console and further demonstrate no new risks are evident. But even with these credentials, you gain access to a list of RADIUS commands, but cannot see anything 'new',
When trying to access any of the commands listed you will get a variation of one of the following messages; not permitted, no style sheet for already known information like the RSA Username, or output from the local PC to a .nada file
Notes
QID 86476 - RADIUS Port 1813 - Qualys reporting The service was unable to complete testing for HTTP / HTTPS vulnerabilities since the Web server stopped responding.
QID 11827 found on all Authentication Manager devices impacting RADIUS Port 1812 TCP/UDP. (aka HSTS missing)
CWE-693: - Protection Mechanism Failure (https://cwe.mitre.org/data/definitions/693.html) - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.
