pam_radius and Blast RADIUS

Eric Lin pirate585 at gmail.com
Thu Jul 11 09:00:33 UTC 2024


fair enough. I've read through
https://www.bleepingcomputer.com/news/security/new-blast-radius-attack-bypasses-widely-used-radius-authentication/
and understand how blast-radius attack might bypass radius
authentication.

Our config is pam_radius (PAP) --> freeradius (acting as radius proxy)
--> Microsoft NPS to integrate with Azure MFA. This workflow happens
inside a private network.

>From section 6 of
https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/,
it looks like RADIUS/UDP and RADIUS/TCP can be used in a secure
network, but still at risk. Furthermore, checking pam_radius module,
it also seems not supporting TLS. I guess I will need to find an
alternative or live with it.

Regards,
Eric

On Thu, Jul 11, 2024 at 4:03 PM marki <jm+freeradiususer at roth.lu> wrote:
>
> Have you read what Blastradius is about?
> Since we don't know your network, it is hard to say.
> In any case it wouldn't hurt to use an updated client.
>
> El 11 de julio de 2024 8:25:41 CEST, Eric Lin <pirate585 at gmail.com> escribió:
> >Hello,
> >
> >We are using pam_radius for authentication.
> >on Both radius server and radius client *Ubuntu 22.04), after upgrade
> >to 3.2.5-1, I am seeing
> >
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >BlastRADIUS check: Received packet without Message-Authenticator.
> >Setting "require_message_authenticator = false" for client
> >client_10.42.18.224_28
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
> >Once the client is upgraded, set "require_message_authenticator =
> >true" for  client client_10.42.18.224_28
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >BlastRADIUS check: Received packet without Proxy-State.
> >Setting "limit_proxy_state = true" for client client_10.42.18.224_28
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >The packet does not contain Message-Authenticator, which is a security issue.
> >UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
> >Once the client is upgraded, set "require_message_authenticator =
> >true" for client client_10.42.18.224_28
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >
> >the client package version is
> >~# apt list --installed |grep radius
> >
> >WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
> >
> >freeradius-common/jammy,now 3.2.5-1 all [installed,automatic]
> >freeradius-config/jammy,now 3.2.5-1 amd64 [installed,automatic]
> >freeradius-utils/jammy,now 3.2.5-1 amd64 [installed]
> >libfreeradius3/jammy,now 3.2.5-1 amd64 [installed,automatic]
> >libpam-radius-auth/jammy,now 2.0.0-1 amd64 [installed]
> >
> >Should I take any action?
> >
> >Regards,
> >Eric
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list