BlastRADIUS: a CRITICAL security vulnerability
Alan DeKok
aland at deployingradius.com
Thu Jul 11 17:39:37 UTC 2024
On Jul 11, 2024, at 11:00 AM, Marco Gaiarin <gaio at lilliput.linux.it> wrote:
> Sorry Alan; looking at https://blastradius.fail/ or https://thehackernews.com/2024/07/radius-protocol-vulnerability-exposes.html
You can go to the source:
https://inkbridgeneworks.com/blastradius
https://inkbridgeneworks.com/blastradius/faq
> it is not clear to me if a standard configuration 'Active Directory binded to
> RADIUS' (eg, WPA2/3-Enterprise, (P)EAP, MSCHAPv2) is vulnerable or not.
The attack has nothing to do with Active Directory.
See my FAQ above. There are clear descriptions for who is vulnerable, and who is not.
> MSCHAPv2 is listed as 'vulnerable', but also EAP is 'not vulnerable'. This
> confuse me because i supose(d) that MSCHAPv2 *need* EAP, so...
PEAP is really MS-CHAP inside of TLS, inside of EAP, inside of RADIUS.
When you just use MS-CHAP over RADIUS, it's insecure. Don't use that. Ever.
Alan DeKok.
More information about the Freeradius-Users
mailing list