Hello Herwin, Thanks a lot for testing the proposed packages!
El 15/08/24 a las 17:04, Herwin Weststrate escribió: > On Wed, Aug 07, 2024 at 07:08:32AM -0300, Santiago Ruano Rincón wrote: > > Regarding the version in bullseye: upstream has kindly shared with me a > > set of patches. I've pushed them to: > > https://salsa.debian.org/debian/freeradius/-/tree/wip/debian/blastradius/bullseye. > > The setting `limit_proxy_state` appears to be ignored in the Bullseye > version. The bug can be triggered with the following steps: > * Install the freeradius packages with the instructions listed somewhere > else in this thread. > * Enable the user `bob` in `/etc/freeradius/3.0/users` > * Add an external client to `/etc/freeradius/3.0/clients`. We need an > external client because the `radclient` tool has been updated to > include the `Message-Authenticator` attribute, and we need a request > that does not include that. > * (Re)Start freeradius > * At the external client, install the `freeradius-utils` package from > the current Debian repository (doesn't matter if its Bullseye or > Bookworm, just don't use these new versions from salsa) > > Now we can run the first request at the external client: > > echo 'User-Name = "bob", User-Password = "hello"' | radclient -x 10.0.0.1 > auth testing123 > > This request should result in the following messages in > `/var/log/freeradius/radius.log`: > > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > BlastRADIUS check: Received packet without Message-Authenticator. > Setting "require_message_authenticator = false" for client testclient > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS > ATTACK. > Once the client is upgraded, set "require_message_authenticator = true" > for this client. > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > BlastRADIUS check: Received packet without Proxy-State. > Setting "limit_proxy_state = true" for client testclient > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > The packet does not contain Message-Authenticator, which is a security > issue. > UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS > ATTACK. > Once the client is upgraded, set "require_message_authenticator = true" > for this client. > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > The setting `limit_proxy_state = true` is supposed to forbid requests > from containing a `Proxy-State` attribute. Now if we add this to the > request: > > echo 'User-Name = "bob", User-Password = "hello", Proxy-State = 0x313233' > | radclient -x 10.0.0.1 auth testing123 > > This packet gets accepted and you'll see an `Access-Accept` for the > client. The same thing happens when you explicitly configure > `limit_proxy_state = true` for the client, or set this as the global > option. > This settings works as expected in the Bookworm version of the packages. > I've tried it with it with v3.0.x from the freeradius upstream > repository as well, and that too works as expected. > I guess the patches miss an essential part of the code to make it work. Just FTR and completeness, I have been only able to reproduce the issue when setting `limit_proxy_state = true` for the external client. In this case, I see this in the radius.log produced by the proposed package for bullseye: Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Error: BlastRADIUS check: Received packet without Message-Authenticator. Error: Setting "require_message_authenticator = false" for client example.org Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Error: Once the client is upgraded, set "require_message_authenticator = true" for this client. Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Otherwise, without setting limit_proxy_state, the packet gets accepted, and I see a similar error with any of the packages proposed for bullseye, bookworm, or the packages produced by upstream: Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Error: BlastRADIUS check: Received packet without Message-Authenticator. Error: Setting "require_message_authenticator = false" for client example.org Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Error: Once the client is upgraded, set "require_message_authenticator = true" for this client. Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Error: BlastRADIUS check: Received packet with Proxy-State, but without Message-Authenticator. Error: This is either a BlastRADIUS attack, OR Error: the client is a proxy RADIUS server which has not been upgraded. Error: Setting "limit_proxy_state = false" for client example.org Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Error: Once the client is upgraded, set "require_message_authenticator = true" for this client. Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I am testing the external client with freeradius-utils 3.0.21+dfsg-2.2+deb11u1. Cheers, -- Santiago
signature.asc
Description: PGP signature
