[Pkg-freeradius-maintainers] Bug#1076022: Backport some security settings from upstream 3.2.5 release to mitigate BlastRADIUS
Herwin Weststrate
debian at herwinw.nl
Thu Aug 15 16:04:47 BST 2024
On Wed, Aug 07, 2024 at 07:08:32AM -0300, Santiago Ruano Rincón wrote:
> Regarding the version in bullseye: upstream has kindly shared with me a
> set of patches. I've pushed them to:
> https://salsa.debian.org/debian/freeradius/-/tree/wip/debian/blastradius/bullseye.
The setting `limit_proxy_state` appears to be ignored in the Bullseye
version. The bug can be triggered with the following steps:
* Install the freeradius packages with the instructions listed somewhere
else in this thread.
* Enable the user `bob` in `/etc/freeradius/3.0/users`
* Add an external client to `/etc/freeradius/3.0/clients`. We need an
external client because the `radclient` tool has been updated to
include the `Message-Authenticator` attribute, and we need a request
that does not include that.
* (Re)Start freeradius
* At the external client, install the `freeradius-utils` package from
the current Debian repository (doesn't matter if its Bullseye or
Bookworm, just don't use these new versions from salsa)
Now we can run the first request at the external client:
echo 'User-Name = "bob", User-Password = "hello"' | radclient -x 10.0.0.1 auth testing123
This request should result in the following messages in
`/var/log/freeradius/radius.log`:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BlastRADIUS check: Received packet without Message-Authenticator.
Setting "require_message_authenticator = false" for client testclient
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
Once the client is upgraded, set "require_message_authenticator = true" for this client.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BlastRADIUS check: Received packet without Proxy-State.
Setting "limit_proxy_state = true" for client testclient
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The packet does not contain Message-Authenticator, which is a security issue.
UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
Once the client is upgraded, set "require_message_authenticator = true" for this client.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The setting `limit_proxy_state = true` is supposed to forbid requests
from containing a `Proxy-State` attribute. Now if we add this to the
request:
echo 'User-Name = "bob", User-Password = "hello", Proxy-State = 0x313233' | radclient -x 10.0.0.1 auth testing123
This packet gets accepted and you'll see an `Access-Accept` for the
client. The same thing happens when you explicitly configure
`limit_proxy_state = true` for the client, or set this as the global
option.
This settings works as expected in the Bookworm version of the packages.
I've tried it with it with v3.0.x from the freeradius upstream
repository as well, and that too works as expected.
I guess the patches miss an essential part of the code to make it work.
--
Herwin
More information about the Pkg-freeradius-maintainers
mailing list