The patch looks good to me, thanks. > On Aug 20, 2024, at 9:42 PM, Santiago Ruano Rincón <santiag...@riseup.net> > wrote: > > Hi! > > El 20/08/24 a las 15:14, Santiago Ruano Rincón escribió: >> Hello Herwin, >> >> Thanks a lot for testing the proposed packages! >> >> El 15/08/24 a las 17:04, Herwin Weststrate escribió: >>> On Wed, Aug 07, 2024 at 07:08:32AM -0300, Santiago Ruano Rincón wrote: >>>> Regarding the version in bullseye: upstream has kindly shared with me a >>>> set of patches. I've pushed them to: >>>> https://salsa.debian.org/debian/freeradius/-/tree/wip/debian/blastradius/bullseye. >>> >>> The setting `limit_proxy_state` appears to be ignored in the Bullseye >>> version. The bug can be triggered with the following steps: >>> * Install the freeradius packages with the instructions listed somewhere >>> else in this thread. >>> * Enable the user `bob` in `/etc/freeradius/3.0/users` >>> * Add an external client to `/etc/freeradius/3.0/clients`. We need an >>> external client because the `radclient` tool has been updated to >>> include the `Message-Authenticator` attribute, and we need a request >>> that does not include that. >>> * (Re)Start freeradius >>> * At the external client, install the `freeradius-utils` package from >>> the current Debian repository (doesn't matter if its Bullseye or >>> Bookworm, just don't use these new versions from salsa) >>> >>> Now we can run the first request at the external client: >>> >>> echo 'User-Name = "bob", User-Password = "hello"' | radclient -x >>> 10.0.0.1 auth testing123 >>> >>> This request should result in the following messages in >>> `/var/log/freeradius/radius.log`: >>> >>> >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >>> BlastRADIUS check: Received packet without Message-Authenticator. >>> Setting "require_message_authenticator = false" for client testclient >>> >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >>> UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS >>> ATTACK. >>> Once the client is upgraded, set "require_message_authenticator = true" >>> for this client. >>> >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >>> >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >>> BlastRADIUS check: Received packet without Proxy-State. >>> Setting "limit_proxy_state = true" for client testclient >>> >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >>> The packet does not contain Message-Authenticator, which is a security >>> issue. >>> UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS >>> ATTACK. >>> Once the client is upgraded, set "require_message_authenticator = true" >>> for this client. >>> >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >>> >>> The setting `limit_proxy_state = true` is supposed to forbid requests >>> from containing a `Proxy-State` attribute. Now if we add this to the >>> request: >>> >>> echo 'User-Name = "bob", User-Password = "hello", Proxy-State = >>> 0x313233' | radclient -x 10.0.0.1 auth testing123 >>> >>> This packet gets accepted and you'll see an `Access-Accept` for the >>> client. The same thing happens when you explicitly configure >>> `limit_proxy_state = true` for the client, or set this as the global >>> option. >>> This settings works as expected in the Bookworm version of the packages. >>> I've tried it with it with v3.0.x from the freeradius upstream >>> repository as well, and that too works as expected. >>> I guess the patches miss an essential part of the code to make it work. >> >> Just FTR and completeness, I have been only able to reproduce the issue >> when setting `limit_proxy_state = true` for the external client. >> In this case, I see this in the radius.log produced by the proposed >> package for bullseye: >> >> Error: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> Error: BlastRADIUS check: Received packet without Message-Authenticator. >> Error: Setting "require_message_authenticator = false" for client >> example.org >> Error: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE >> BLASTRADIUS ATTACK. >> Error: Once the client is upgraded, set "require_message_authenticator = >> true" for this client. >> Error: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> >> Otherwise, without setting limit_proxy_state, the packet gets accepted, >> and I see a similar error with any of the packages proposed for >> bullseye, bookworm, or the packages produced by upstream: >> >> Error: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> Error: BlastRADIUS check: Received packet without Message-Authenticator. >> Error: Setting "require_message_authenticator = false" for client >> example.org >> Error: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE >> BLASTRADIUS ATTACK. >> Error: Once the client is upgraded, set "require_message_authenticator = >> true" for this client. >> Error: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> Error: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> Error: BlastRADIUS check: Received packet with Proxy-State, but without >> Message-Authenticator. >> Error: This is either a BlastRADIUS attack, OR >> Error: the client is a proxy RADIUS server which has not been upgraded. >> Error: Setting "limit_proxy_state = false" for client example.org >> Error: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE >> BLASTRADIUS ATTACK. >> Error: Once the client is upgraded, set "require_message_authenticator = >> true" for this client. >> Error: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> >> I am testing the external client with freeradius-utils >> 3.0.21+dfsg-2.2+deb11u1. > > I have pushed an additional patch to the WIP bullseye branch: > https://salsa.debian.org/debian/freeradius/-/commit/e320f4945e88a129d602aad586ac9a927cb344ea > Alan, if you ever have some free time, would you be so kind to tell me > if that additional patch (for 3.0.21) makes sense? > > The built packages can be downloaded from: > https://salsa.debian.org/debian/freeradius/-/jobs/6156291/artifacts/download, > or via the repo as described at: > https://debian.pages.debian.net/-/freeradius/-/jobs/6156294/artifacts/aptly/index.html > Herwin, if possible, could you please give it a try? > I think the behaviour matches the upstream's bookworm, but I would be > great to have an extra pair of eyes :-) > > Cheers, > > -- Santiago
signature.asc
Description: Message signed with OpenPGP
