Blast RADIUS resources to protect your network
As news of the Blast RADIUS vulnerability spreads, we wanted to let you know about resources that we’ve put together for you. The big takeaway is this: ********. You MUST UPGRADE your systems as soon as possible. ********* The upgrade process needs to be done carefully but we have many resources to help you. We have FREE RESOURCES available here: https://edit.inkbridgenetworks.com/blastradius ——————————— The following products have an EARLY BIRD DISCOUNT until the END OF WEDNESDAY (tomorrow, July 10) this week. - Step-by-step upgrade guide and worksheet: https://inkbridgenetworks.myshopify.com/products/blastradius-upgrade-documen... The BlastRADIUS Upgrade Guide and Excel worksheet explains exactly how to protect your network from the vulnerability. Together, these documents reduce the risk of “do it yourself” solutions, which can result in accidental network outages. The documents give a set of detailed steps to take, including what configuration changes to make, where those changes should be made, and how to verify that the changes have been applied correctly. - Upgrade guide, Worksheet and a Verification Tool https://inkbridgenetworks.myshopify.com/products/blastradius-documentation-a... The BlastRADIUS Verification Tool enables administrators to verify that systems have been upgraded and configured correctly. It looks at packet captures, and can send RADIUS packets directly to a RADIUS server. The result is a report indicating whether or not the systems are still vulnerable. - Upgrade guide, Worksheet, Verification Tool and 3 months of support. https://inkbridgenetworks.myshopify.com/products/blastradius-documentation-t... While we have full confidence in the documentation and tool, some customers may be looking for additional support. We will provide the above tool and documentation, along with three (3) months of technical support. Our engineers will answer questions you have about any aspects of the BlastRADIUS vulnerability, or the above documentation and verification tool. ————————— The following products have an EARLY BIRD discount until the END OF TUESDAY (July 16th) BlastRADIUS Verification Tool + Guide and Worksheet, and 6 Months of Enhanced Support: https://inkbridgenetworks.myshopify.com/products/blastradius-documentation-t... For customers who are looking for more personal interaction, we will provide the above documentation, verification tools, and six (6) months of technical support. We will also provide two (2) video conferencing sessions of up to three (3) hours in length with our engineers. BlastRADIUS Carrier Package: https://inkbridgenetworks.myshopify.com/products/blastradius-telco-review-pa... Telcos and carriers have unique requirements, greater sensitivity, and large customer-driven urgency. In this package, we will provide documentation, verification tools, and twelve (12) months of technical support. We will also provide four (4) video conferencing sessions of up to three (3) hours in length with our engineers. The sessions with our engineers can also be used to advocate on your behalf with technology vendors. The fixes needed for the BlastRADIUS issue are new, networks are complex, and there may be corner cases that the vendors have been unable to test. If you have issues with vendor behaviour as a result of BlastRADIUS, we can join a call with you and the vendor to clarify any issues. We will also work with the vendors to test and verify any fixes, including updating the RADIUS standards to address issues which we may find. ————————————— Blast RADIUS in the media: https://financialpost.com/pmn/business-wire-news-releases-pmn/blastradius-vu... https://thehackernews.com/2024/07/radius-protocol-vulnerability-exposes.html https://www.thinkbroadband.com/news/10143-new-blast-radius-protocol-vulnerab...
Alan DeKok wrote:
As news of the Blast RADIUS vulnerability spreads, we wanted to let you know about resources that we’ve put together for you. The big takeaway is this: ********. You MUST UPGRADE your systems as soon as possible. *********
Just wanted to thank Alan. We lucked out, our NAS units all seem to send a Message-Authenticator. I suspect Alan's advocacy for securing the RADIUS protocol over the years is a major reason why.
On Jul 10, 2024, at 3:55 PM, Brian Julin <BJulin@clarku.edu> wrote:
Alan DeKok wrote:
As news of the Blast RADIUS vulnerability spreads, we wanted to let you know about resources that we’ve put together for you. The big takeaway is this: ********. You MUST UPGRADE your systems as soon as possible. *********
Just wanted to thank Alan. We lucked out, our NAS units all seem to send a Message-Authenticator.
If you can say, which vendor?
I suspect Alan's advocacy for securing the RADIUS protocol over the years is a major reason why.\
It's good to hear that my efforts have some positive benefit. So yes, if the NASes send Message-Authenticator, then set "require_message_authenticator = yes" for each client, and you're secure. You should likely upgrade the NASes eventually, but that can be done as part of normal maintenance processes. Alan DeKok.
Alan DeKok wrote:
On Jul 10, 2024, at 3:55 PM, Brian Julin <BJulin@clarku.edu> wrote:
Just wanted to thank Alan. We lucked out, our NAS units all seem to send a Message-Authenticator. If you can say, which vendor?
HPE/Aruba ArubaOS-S (at least since WC.16.11.0007 and probably much earlier) AurobaOS-CX (at least since FL.10.10.1090 and probably earlier) ArubaOS (WiFi controllers) (at least since 8.10.0.12_89862 and probably earlier) Observed all of the above sending Message-Authenticator during non-EAP (macauth) transactions. Also have verified the WiFi controller's Message-Authenticaor actually works. Will likely be turning on the requirement for the other OSes today, assuming overnight logs didn't turn up any cretinous old equipment on the network... but not expecting any issues there. Note: we did not test radius-based admin auth, because we don't use it. I never liked the idea of getting locked out of my network gear because a network problem was preventing communication to a centralized authentication server. Call me old fashioned if you will. Their ClearPass server of course is another matter and I have not been yet able to find a knob in there to require the attribute... if their FreeRADIUS version is even new enough to have it. I know they hardened up CoA a while back but I think they still accept requests without Message-Authenticator. Might be able to hack it by routing any requests with no Message-Authenticator to a service that dead-ends them, but for now, was already secured with network-level lockdowns. I'm guessing they will be responsive after the media reception you all managed to drum up and release a patch to help mitigate. Had to teach all my radclient/radtest-using scripts to send a Message-Authenticator but other than that this has been fairly easy to mitigate here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Brian Julin