Bug 57550 – Access is accepted even though it is denied when account is present but not authorized

Bug 57550 - Access is accepted even though it is denied when account is present but not authorized


Summary:	Access is accepted even though it is denied when account is present but not a...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Radius
Version:	UCS 5.0
Hardware:	All All

Importance:	P5 major with 2 votes (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-08-28 17:11 CEST by moritzbeck2001
Modified:	2024-08-28 17:59 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:	Yes
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:	Yes
Ticket number:
Bug group (optional):	Role and Access Model
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description moritzbeck2001 2024-08-28 17:11:25 CEST

A user is present within UCS with username = "username" and password = "password". The user has no configuration applied to it, is only member of the Domain Users group and does not have RADIUS checked. If the user then tries to authenticate, he is still allowed access.



Output from univention-radius-check-access:

sudo univention-radius-check-access --username username --station-id none
     DEBUG: [user=username; mac=e:::::] Given username: 'username'
     DEBUG: [user=username; mac=e:::::] Given stationId: 'none'
     DEBUG: [user=username; mac=e:::::] UCS@school RADIUS support is not installed
     DEBUG: [user=username; mac=e:::::] Checking LDAP settings for user
     DEBUG: [user=username; mac=e:::::] DENY 'uid=username,cn=users,dc=example'
     DEBUG: [user=username; mac=e:::::] -> DENY 'cn=Domain Users,cn=groups,dc=example'
     DEBUG: [user=username; mac=e:::::] -> -> DENY 'cn=Users,cn=Builtin,dc=example'
      INFO: [user=username; mac=e:::::] Login attempt denied by LDAP settings
     DEBUG: [user=username; mac=e:::::] User is not allowed to authenticate via RADIUS
     DEBUG: [user=username; mac=e:::::] --- Thus access is DENIED.



Output from radtest:

radtest username password localhost 1812 testing123
Sent Access-Request Id 252 from 0.0.0.0:34078 to 127.0.0.1:1812 length 76
        User-Name = "username"
        User-Password = "password"
        NAS-IP-Address = [REDACTED]
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
Received Access-Accept Id 252 from 127.0.0.1:1812 to 127.0.0.1:34078 length 83
        Reply-Message = "DEBUG: Not found, assigning default VLAN-ID"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "4010"



I have currently selected 4010 as the default VLAN for "freeradius/vlan-id", because it is an invalid VLAN within Unifi and causes it to deny the connection nevertheless. This is a highly undesirable workaround though.
If the UCR variable is unset, the user is allowed access to whatever VLAN is selected in Unifi. By default, this is the management VLAN.

Please note that https://forge.univention.org/bugzilla/show_bug.cgi?id=56670 is a similar security issue and is already open since almost a year. If you want me to file for a CVE, I can do that.