Thursday, October 8, 2020

[PSA] Android 11's December security update will remove the ability to disable EAP server cert validation

The December security patch for Android 11 (QPR1) will remove the "Do not validate" option under "CA certificate" for EAP server certificate validation to prevent misconfiguration resulting in credential leaks. This is very good news from a security standpoint!

Visual of what is being removed: https://imgur.com/a/Om9slKo

What this means for organizations: if you're not using strong authentication for network access, aka certificate-based authentication (which you should be), and continue using legacy EAP methods & weak credentials, you need to start configuring supplicants properly. Tunneled EAP methods with weak credentials should only ever be used with managed supplicants (MDM, GPO, etc).

Here is a properly configured supplicant for tunneled EAP methods (EAP-TTLS, PEAP): https://imgur.com/a/qNQg6t0

If you have instructions for end users that tell them to select "Do Not Validate", you should force password changes ASAP, update your documentation, and start working on a migration plan towards strong and modern authentication.

tl;dr stop using weak/legacy authentication methods



No comments:

Post a Comment