pam_radius and Blast RADIUS
Eric Lin
pirate585 at gmail.com
Thu Jul 11 06:25:41 UTC 2024
Hello,
We are using pam_radius for authentication.
on Both radius server and radius client *Ubuntu 22.04), after upgrade
to 3.2.5-1, I am seeing
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BlastRADIUS check: Received packet without Message-Authenticator.
Setting "require_message_authenticator = false" for client
client_10.42.18.224_28
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
Once the client is upgraded, set "require_message_authenticator =
true" for client client_10.42.18.224_28
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BlastRADIUS check: Received packet without Proxy-State.
Setting "limit_proxy_state = true" for client client_10.42.18.224_28
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The packet does not contain Message-Authenticator, which is a security issue.
UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
Once the client is upgraded, set "require_message_authenticator =
true" for client client_10.42.18.224_28
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
the client package version is
~# apt list --installed |grep radius
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
freeradius-common/jammy,now 3.2.5-1 all [installed,automatic]
freeradius-config/jammy,now 3.2.5-1 amd64 [installed,automatic]
freeradius-utils/jammy,now 3.2.5-1 amd64 [installed]
libfreeradius3/jammy,now 3.2.5-1 amd64 [installed,automatic]
libpam-radius-auth/jammy,now 2.0.0-1 amd64 [installed]
Should I take any action?
Regards,
Eric
More information about the Freeradius-Users
mailing list