pam_radius and Blast RADIUS
Alan DeKok
aland at deployingradius.com
Thu Jul 11 11:21:35 UTC 2024
On Jul 11, 2024, at 2:25 AM, Eric Lin <pirate585 at gmail.com> wrote:
> We are using pam_radius for authentication.
> on Both radius server and radius client *Ubuntu 22.04), after upgrade
> to 3.2.5-1, I am seeing
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> BlastRADIUS check: Received packet without Message-Authenticator.
> Setting "require_message_authenticator = false" for client
> client_10.42.18.224_28
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
> Once the client is upgraded, set "require_message_authenticator =
> true" for client client_10.42.18.224_28
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> BlastRADIUS check: Received packet without Proxy-State.
> Setting "limit_proxy_state = true" for client client_10.42.18.224_28
So set "limit_proxy_state = true", and the system will be protected. That's what the message is trying to tell you.
> Should I take any action?
Read the message and do what it says?
We will be releasing a new version of the pam_radius module shortly. It will add fixes for the client.
You will still continue to see the above messages (or some variant of them) until you follow the instructions in the message, and set the new configuration flags.
Alan DeKok.
More information about the Freeradius-Users
mailing list