[Pkg-freeradius-maintainers] Bug#1076022: Backport some security settings from upstream 3.2.5 release to mitigate BlastRADIUS
Santiago Ruano Rincón
santiagorr at riseup.net
Tue Aug 20 19:14:38 BST 2024
Hello Herwin,
Thanks a lot for testing the proposed packages!
El 15/08/24 a las 17:04, Herwin Weststrate escribió:
> On Wed, Aug 07, 2024 at 07:08:32AM -0300, Santiago Ruano Rincón wrote:
> > Regarding the version in bullseye: upstream has kindly shared with me a
> > set of patches. I've pushed them to:
> > https://salsa.debian.org/debian/freeradius/-/tree/wip/debian/blastradius/bullseye.
>
> The setting `limit_proxy_state` appears to be ignored in the Bullseye
> version. The bug can be triggered with the following steps:
> * Install the freeradius packages with the instructions listed somewhere
> else in this thread.
> * Enable the user `bob` in `/etc/freeradius/3.0/users`
> * Add an external client to `/etc/freeradius/3.0/clients`. We need an
> external client because the `radclient` tool has been updated to
> include the `Message-Authenticator` attribute, and we need a request
> that does not include that.
> * (Re)Start freeradius
> * At the external client, install the `freeradius-utils` package from
> the current Debian repository (doesn't matter if its Bullseye or
> Bookworm, just don't use these new versions from salsa)
>
> Now we can run the first request at the external client:
>
> echo 'User-Name = "bob", User-Password = "hello"' | radclient -x 10.0.0.1 auth testing123
>
> This request should result in the following messages in
> `/var/log/freeradius/radius.log`:
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> BlastRADIUS check: Received packet without Message-Authenticator.
> Setting "require_message_authenticator = false" for client testclient
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
> Once the client is upgraded, set "require_message_authenticator = true" for this client.
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> BlastRADIUS check: Received packet without Proxy-State.
> Setting "limit_proxy_state = true" for client testclient
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> The packet does not contain Message-Authenticator, which is a security issue.
> UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
> Once the client is upgraded, set "require_message_authenticator = true" for this client.
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> The setting `limit_proxy_state = true` is supposed to forbid requests
> from containing a `Proxy-State` attribute. Now if we add this to the
> request:
>
> echo 'User-Name = "bob", User-Password = "hello", Proxy-State = 0x313233' | radclient -x 10.0.0.1 auth testing123
>
> This packet gets accepted and you'll see an `Access-Accept` for the
> client. The same thing happens when you explicitly configure
> `limit_proxy_state = true` for the client, or set this as the global
> option.
> This settings works as expected in the Bookworm version of the packages.
> I've tried it with it with v3.0.x from the freeradius upstream
> repository as well, and that too works as expected.
> I guess the patches miss an essential part of the code to make it work.
Just FTR and completeness, I have been only able to reproduce the issue
when setting `limit_proxy_state = true` for the external client.
In this case, I see this in the radius.log produced by the proposed
package for bullseye:
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: BlastRADIUS check: Received packet without Message-Authenticator.
Error: Setting "require_message_authenticator = false" for client example.org
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
Error: Once the client is upgraded, set "require_message_authenticator = true" for this client.
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Otherwise, without setting limit_proxy_state, the packet gets accepted,
and I see a similar error with any of the packages proposed for
bullseye, bookworm, or the packages produced by upstream:
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: BlastRADIUS check: Received packet without Message-Authenticator.
Error: Setting "require_message_authenticator = false" for client example.org
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
Error: Once the client is upgraded, set "require_message_authenticator = true" for this client.
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: BlastRADIUS check: Received packet with Proxy-State, but without Message-Authenticator.
Error: This is either a BlastRADIUS attack, OR
Error: the client is a proxy RADIUS server which has not been upgraded.
Error: Setting "limit_proxy_state = false" for client example.org
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
Error: Once the client is upgraded, set "require_message_authenticator = true" for this client.
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I am testing the external client with freeradius-utils 3.0.21+dfsg-2.2+deb11u1.
Cheers,
-- Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20240820/736cff01/attachment.sig>
More information about the Pkg-freeradius-maintainers
mailing list