[Pkg-freeradius-maintainers] Bug#1076022: Additional patch for bullseye's FreeRADIUS (was: Backport some security settings from upstream 3.2.5 release to mitigate BlastRADIUS)

Santiago Ruano Rincón santiagorr at riseup.net
Wed Aug 21 02:42:10 BST 2024 

Hi!

El 20/08/24 a las 15:14, Santiago Ruano Rincón escribió:
> Hello Herwin,
> 
> Thanks a lot for testing the proposed packages!
> 
> El 15/08/24 a las 17:04, Herwin Weststrate escribió:
> > On Wed, Aug 07, 2024 at 07:08:32AM -0300, Santiago Ruano Rincón wrote:
> > > Regarding the version in bullseye: upstream has kindly shared with me a
> > > set of patches. I've pushed them to:
> > > https://salsa.debian.org/debian/freeradius/-/tree/wip/debian/blastradius/bullseye.
> > 
> > The setting `limit_proxy_state` appears to be ignored in the Bullseye
> > version. The bug can be triggered with the following steps:
> > * Install the freeradius packages with the instructions listed somewhere
> >   else in this thread.
> > * Enable the user `bob` in `/etc/freeradius/3.0/users`
> > * Add an external client to `/etc/freeradius/3.0/clients`. We need an
> >   external client because the `radclient` tool has been updated to
> >   include the `Message-Authenticator` attribute, and we need a request
> >   that does not include that.
> > * (Re)Start freeradius
> > * At the external client, install the `freeradius-utils` package from
> >   the current Debian repository (doesn't matter if its Bullseye or
> >   Bookworm, just don't use these new versions from salsa)
> > 
> > Now we can run the first request at the external client:
> > 
> >     echo 'User-Name = "bob", User-Password = "hello"' | radclient -x 10.0.0.1 auth testing123
> > 
> > This request should result in the following messages in
> > `/var/log/freeradius/radius.log`:
> > 
> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >     BlastRADIUS check: Received packet without Message-Authenticator.
> >     Setting "require_message_authenticator = false" for client testclient
> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >     UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
> >     Once the client is upgraded, set "require_message_authenticator = true" for this client.
> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >     BlastRADIUS check: Received packet without Proxy-State.
> >     Setting "limit_proxy_state = true" for client testclient
> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >     The packet does not contain Message-Authenticator, which is a security issue.
> >     UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
> >     Once the client is upgraded, set "require_message_authenticator = true" for this client.
> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > 
> > The setting `limit_proxy_state = true` is supposed to forbid requests
> > from containing a `Proxy-State` attribute. Now if we add this to the
> > request:
> > 
> >     echo 'User-Name = "bob", User-Password = "hello", Proxy-State = 0x313233' | radclient -x 10.0.0.1 auth testing123
> > 
> > This packet gets accepted and you'll see an `Access-Accept` for the
> > client. The same thing happens when you explicitly configure
> > `limit_proxy_state = true` for the client, or set this as the global
> > option.
> > This settings works as expected in the Bookworm version of the packages.
> > I've tried it with it with v3.0.x from the freeradius upstream
> > repository as well, and that too works as expected.
> > I guess the patches miss an essential part of the code to make it work.
> 
> Just FTR and completeness, I have been only able to reproduce the issue
> when setting `limit_proxy_state = true` for the external client.
> In this case, I see this in the radius.log produced by the proposed
> package for bullseye:
> 
>     Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>     Error: BlastRADIUS check: Received packet without Message-Authenticator.
>     Error: Setting "require_message_authenticator = false" for client example.org
>     Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>     Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
>     Error: Once the client is upgraded, set "require_message_authenticator = true" for this client.
>     Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> 
> Otherwise, without setting limit_proxy_state, the packet gets accepted,
> and I see a similar error with any of the packages proposed for
> bullseye, bookworm, or the packages produced by upstream:
> 
>     Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>     Error: BlastRADIUS check: Received packet without Message-Authenticator.
>     Error: Setting "require_message_authenticator = false" for client example.org
>     Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>     Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
>     Error: Once the client is upgraded, set "require_message_authenticator = true" for this client.
>     Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>     Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>     Error: BlastRADIUS check: Received packet with Proxy-State, but without Message-Authenticator.
>     Error: This is either a BlastRADIUS attack, OR
>     Error: the client is a proxy RADIUS server which has not been upgraded.
>     Error: Setting "limit_proxy_state = false" for client example.org
>     Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>     Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
>     Error: Once the client is upgraded, set "require_message_authenticator = true" for this client.
>     Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> 
> I am testing the external client with freeradius-utils 3.0.21+dfsg-2.2+deb11u1.

I have pushed an additional patch to the WIP bullseye branch:
https://salsa.debian.org/debian/freeradius/-/commit/e320f4945e88a129d602aad586ac9a927cb344ea
Alan, if you ever have some free time, would you be so kind to tell me
if that additional patch (for 3.0.21) makes sense?

The built packages can be downloaded from:
https://salsa.debian.org/debian/freeradius/-/jobs/6156291/artifacts/download,
or via the repo as described at:
https://debian.pages.debian.net/-/freeradius/-/jobs/6156294/artifacts/aptly/index.html
Herwin, if possible, could you please give it a try?
I think the behaviour matches the upstream's bookworm, but I would be
great to have an extra pair of eyes :-)

Cheers,

 -- Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20240820/8dd0ae72/attachment.sig>

More information about the Pkg-freeradius-maintainers mailing list