On Jul 11, 2024, at 11:00 AM, Marco Gaiarin <gaio@lilliput.linux.it> wrote:
Sorry Alan; looking at https://blastradius.fail/ or https://thehackernews.com/2024/07/radius-protocol-vulnerability-exposes.html
You can go to the source: https://inkbridgeneworks.com/blastradius https://inkbridgeneworks.com/blastradius/faq
it is not clear to me if a standard configuration 'Active Directory binded to RADIUS' (eg, WPA2/3-Enterprise, (P)EAP, MSCHAPv2) is vulnerable or not.
The attack has nothing to do with Active Directory. See my FAQ above. There are clear descriptions for who is vulnerable, and who is not.
MSCHAPv2 is listed as 'vulnerable', but also EAP is 'not vulnerable'. This confuse me because i supose(d) that MSCHAPv2 *need* EAP, so...
PEAP is really MS-CHAP inside of TLS, inside of EAP, inside of RADIUS. When you just use MS-CHAP over RADIUS, it's insecure. Don't use that. Ever. Alan DeKok.