pam_radius and Blast RADIUS
Hello, We are using pam_radius for authentication. on Both radius server and radius client *Ubuntu 22.04), after upgrade to 3.2.5-1, I am seeing !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Message-Authenticator. Setting "require_message_authenticator = false" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Once the client is upgraded, set "require_message_authenticator = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Proxy-State. Setting "limit_proxy_state = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The packet does not contain Message-Authenticator, which is a security issue. UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK. Once the client is upgraded, set "require_message_authenticator = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! the client package version is ~# apt list --installed |grep radius WARNING: apt does not have a stable CLI interface. Use with caution in scripts. freeradius-common/jammy,now 3.2.5-1 all [installed,automatic] freeradius-config/jammy,now 3.2.5-1 amd64 [installed,automatic] freeradius-utils/jammy,now 3.2.5-1 amd64 [installed] libfreeradius3/jammy,now 3.2.5-1 amd64 [installed,automatic] libpam-radius-auth/jammy,now 2.0.0-1 amd64 [installed] Should I take any action? Regards, Eric
Have you read what Blastradius is about? Since we don't know your network, it is hard to say. In any case it wouldn't hurt to use an updated client. El 11 de julio de 2024 8:25:41 CEST, Eric Lin <pirate585@gmail.com> escribió:
Hello,
We are using pam_radius for authentication. on Both radius server and radius client *Ubuntu 22.04), after upgrade to 3.2.5-1, I am seeing
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Message-Authenticator. Setting "require_message_authenticator = false" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Once the client is upgraded, set "require_message_authenticator = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Proxy-State. Setting "limit_proxy_state = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The packet does not contain Message-Authenticator, which is a security issue. UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK. Once the client is upgraded, set "require_message_authenticator = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
the client package version is ~# apt list --installed |grep radius
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
freeradius-common/jammy,now 3.2.5-1 all [installed,automatic] freeradius-config/jammy,now 3.2.5-1 amd64 [installed,automatic] freeradius-utils/jammy,now 3.2.5-1 amd64 [installed] libfreeradius3/jammy,now 3.2.5-1 amd64 [installed,automatic] libpam-radius-auth/jammy,now 2.0.0-1 amd64 [installed]
Should I take any action?
Regards, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fair enough. I've read through https://www.bleepingcomputer.com/news/security/new-blast-radius-attack-bypas... and understand how blast-radius attack might bypass radius authentication. Our config is pam_radius (PAP) --> freeradius (acting as radius proxy) --> Microsoft NPS to integrate with Azure MFA. This workflow happens inside a private network.
From section 6 of https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/, it looks like RADIUS/UDP and RADIUS/TCP can be used in a secure network, but still at risk. Furthermore, checking pam_radius module, it also seems not supporting TLS. I guess I will need to find an alternative or live with it.
Regards, Eric On Thu, Jul 11, 2024 at 4:03 PM marki <jm+freeradiususer@roth.lu> wrote:
Have you read what Blastradius is about? Since we don't know your network, it is hard to say. In any case it wouldn't hurt to use an updated client.
Hello,
We are using pam_radius for authentication. on Both radius server and radius client *Ubuntu 22.04), after upgrade to 3.2.5-1, I am seeing
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Message-Authenticator. Setting "require_message_authenticator = false" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Once the client is upgraded, set "require_message_authenticator = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Proxy-State. Setting "limit_proxy_state = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The packet does not contain Message-Authenticator, which is a security issue. UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK. Once the client is upgraded, set "require_message_authenticator = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
the client package version is ~# apt list --installed |grep radius
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
freeradius-common/jammy,now 3.2.5-1 all [installed,automatic] freeradius-config/jammy,now 3.2.5-1 amd64 [installed,automatic] freeradius-utils/jammy,now 3.2.5-1 amd64 [installed] libfreeradius3/jammy,now 3.2.5-1 amd64 [installed,automatic] libpam-radius-auth/jammy,now 2.0.0-1 amd64 [installed]
Should I take any action?
Regards, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
El 11 de julio de 2024 8:25:41 CEST, Eric Lin <pirate585@gmail.com> escribió: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 11, 2024, at 2:25 AM, Eric Lin <pirate585@gmail.com> wrote:
We are using pam_radius for authentication. on Both radius server and radius client *Ubuntu 22.04), after upgrade to 3.2.5-1, I am seeing
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Message-Authenticator. Setting "require_message_authenticator = false" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Once the client is upgraded, set "require_message_authenticator = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Proxy-State. Setting "limit_proxy_state = true" for client client_10.42.18.224_28
So set "limit_proxy_state = true", and the system will be protected. That's what the message is trying to tell you.
Should I take any action?
Read the message and do what it says? We will be releasing a new version of the pam_radius module shortly. It will add fixes for the client. You will still continue to see the above messages (or some variant of them) until you follow the instructions in the message, and set the new configuration flags. Alan DeKok.
Hi Alan, Thanks a lot and I know where to start now. Regards, Eric On Thu, Jul 11, 2024 at 7:21 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jul 11, 2024, at 2:25 AM, Eric Lin <pirate585@gmail.com> wrote:
We are using pam_radius for authentication. on Both radius server and radius client *Ubuntu 22.04), after upgrade to 3.2.5-1, I am seeing
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Message-Authenticator. Setting "require_message_authenticator = false" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Once the client is upgraded, set "require_message_authenticator = true" for client client_10.42.18.224_28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet without Proxy-State. Setting "limit_proxy_state = true" for client client_10.42.18.224_28
So set "limit_proxy_state = true", and the system will be protected. That's what the message is trying to tell you.
Should I take any action?
Read the message and do what it says?
We will be releasing a new version of the pam_radius module shortly. It will add fixes for the client.
You will still continue to see the above messages (or some variant of them) until you follow the instructions in the message, and set the new configuration flags.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Eric Lin -
marki