[Pkg-freeradius-maintainers] Bug#1076022: Additional patch for bullseye's FreeRADIUS (was: Backport some security settings from upstream 3.2.5 release to mitigate BlastRADIUS)

Alan DeKok aland at freeradius.org
Wed Aug 21 18:58:25 BST 2024 

  The patch looks good to me, thanks.

> On Aug 20, 2024, at 9:42 PM, Santiago Ruano Rincón <santiagorr at riseup.net> wrote:
> 
> Hi!
> 
> El 20/08/24 a las 15:14, Santiago Ruano Rincón escribió:
>> Hello Herwin,
>> 
>> Thanks a lot for testing the proposed packages!
>> 
>> El 15/08/24 a las 17:04, Herwin Weststrate escribió:
>>> On Wed, Aug 07, 2024 at 07:08:32AM -0300, Santiago Ruano Rincón wrote:
>>>> Regarding the version in bullseye: upstream has kindly shared with me a
>>>> set of patches. I've pushed them to:
>>>> https://salsa.debian.org/debian/freeradius/-/tree/wip/debian/blastradius/bullseye.
>>> 
>>> The setting `limit_proxy_state` appears to be ignored in the Bullseye
>>> version. The bug can be triggered with the following steps:
>>> * Install the freeradius packages with the instructions listed somewhere
>>>  else in this thread.
>>> * Enable the user `bob` in `/etc/freeradius/3.0/users`
>>> * Add an external client to `/etc/freeradius/3.0/clients`. We need an
>>>  external client because the `radclient` tool has been updated to
>>>  include the `Message-Authenticator` attribute, and we need a request
>>>  that does not include that.
>>> * (Re)Start freeradius
>>> * At the external client, install the `freeradius-utils` package from
>>>  the current Debian repository (doesn't matter if its Bullseye or
>>>  Bookworm, just don't use these new versions from salsa)
>>> 
>>> Now we can run the first request at the external client:
>>> 
>>>    echo 'User-Name = "bob", User-Password = "hello"' | radclient -x 10.0.0.1 auth testing123
>>> 
>>> This request should result in the following messages in
>>> `/var/log/freeradius/radius.log`:
>>> 
>>>    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>>    BlastRADIUS check: Received packet without Message-Authenticator.
>>>    Setting "require_message_authenticator = false" for client testclient
>>>    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>>    UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
>>>    Once the client is upgraded, set "require_message_authenticator = true" for this client.
>>>    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>>    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>>    BlastRADIUS check: Received packet without Proxy-State.
>>>    Setting "limit_proxy_state = true" for client testclient
>>>    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>>    The packet does not contain Message-Authenticator, which is a security issue.
>>>    UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
>>>    Once the client is upgraded, set "require_message_authenticator = true" for this client.
>>>    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>> 
>>> The setting `limit_proxy_state = true` is supposed to forbid requests
>>> from containing a `Proxy-State` attribute. Now if we add this to the
>>> request:
>>> 
>>>    echo 'User-Name = "bob", User-Password = "hello", Proxy-State = 0x313233' | radclient -x 10.0.0.1 auth testing123
>>> 
>>> This packet gets accepted and you'll see an `Access-Accept` for the
>>> client. The same thing happens when you explicitly configure
>>> `limit_proxy_state = true` for the client, or set this as the global
>>> option.
>>> This settings works as expected in the Bookworm version of the packages.
>>> I've tried it with it with v3.0.x from the freeradius upstream
>>> repository as well, and that too works as expected.
>>> I guess the patches miss an essential part of the code to make it work.
>> 
>> Just FTR and completeness, I have been only able to reproduce the issue
>> when setting `limit_proxy_state = true` for the external client.
>> In this case, I see this in the radius.log produced by the proposed
>> package for bullseye:
>> 
>>    Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>    Error: BlastRADIUS check: Received packet without Message-Authenticator.
>>    Error: Setting "require_message_authenticator = false" for client example.org
>>    Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>    Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
>>    Error: Once the client is upgraded, set "require_message_authenticator = true" for this client.
>>    Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> 
>> Otherwise, without setting limit_proxy_state, the packet gets accepted,
>> and I see a similar error with any of the packages proposed for
>> bullseye, bookworm, or the packages produced by upstream:
>> 
>>    Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>    Error: BlastRADIUS check: Received packet without Message-Authenticator.
>>    Error: Setting "require_message_authenticator = false" for client example.org
>>    Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>    Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
>>    Error: Once the client is upgraded, set "require_message_authenticator = true" for this client.
>>    Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>    Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>    Error: BlastRADIUS check: Received packet with Proxy-State, but without Message-Authenticator.
>>    Error: This is either a BlastRADIUS attack, OR
>>    Error: the client is a proxy RADIUS server which has not been upgraded.
>>    Error: Setting "limit_proxy_state = false" for client example.org
>>    Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>    Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
>>    Error: Once the client is upgraded, set "require_message_authenticator = true" for this client.
>>    Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> 
>> I am testing the external client with freeradius-utils 3.0.21+dfsg-2.2+deb11u1.
> 
> I have pushed an additional patch to the WIP bullseye branch:
> https://salsa.debian.org/debian/freeradius/-/commit/e320f4945e88a129d602aad586ac9a927cb344ea
> Alan, if you ever have some free time, would you be so kind to tell me
> if that additional patch (for 3.0.21) makes sense?
> 
> The built packages can be downloaded from:
> https://salsa.debian.org/debian/freeradius/-/jobs/6156291/artifacts/download,
> or via the repo as described at:
> https://debian.pages.debian.net/-/freeradius/-/jobs/6156294/artifacts/aptly/index.html
> Herwin, if possible, could you please give it a try?
> I think the behaviour matches the upstream's bookworm, but I would be
> great to have an extra pair of eyes :-)
> 
> Cheers,
> 
> -- Santiago

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20240821/469197e0/attachment.sig>

More information about the Pkg-freeradius-maintainers mailing list