Message-Authenticator attribute / blastradius mitigation
Closed this issue · 8 comments
In reports on the newly announced blastradius vulnerability, a possible mitigation that is suggested is to ensure 'Message-Authenticator' is sent as the first attribute in all request and response messages.
Does pam_radius support this attribute? I don't see any mention of it, and not seeing it in a packet trace. If it does not support the attribute, are there plans to update the library to add it?
We will be releasing a new version shortly in order to address this issue.
Alan, I see you made submissions earlier this week. Should this issue be closed now, or are there more changes planned? Thanks.
It can be closed. We'll do a new release shortly.
Hi, I am also curious if there is any ETA for a new release with the fix? Thanks!
We hope to do a new release next week
Alan, I'd tested the code as submitted last week, and was happy with results. I presumed that the "release" work was mostly release notes and the like. Then, it was found that if multiple radius servers are configured (first in the list is actually non-responsive as intent), then we don't get any response from the good radius server in the second slot - almost like the MessageAuthenticator was incorrect and we were being silently ignored. Doesn't seem I can upload pcap files, but here are screenshots.
Just thought I'd report it before more investigation on my end. Thanks for any enlightenment you might have.
Yeah, verified. Each time through the loop of servers, the message_authenticator needs to be set back to 0s before calculating checksum. Something like this works:
if (request->code == PW_ACCESS_REQUEST) {
-
memset(conf->message_authenticator, 0, AUTH_VECTOR_LEN); hmac_md5(conf->message_authenticator, (uint8_t *) request, ntohs(request->length), (const uint8_t *) server->secret, strlen(server->secret));
Hi Alan,
We are using the PAM Authentication and Accounting module. When is the official release expected with fix of of blastradius mitigation (#96).
Thanks,
The release 3.0.0 is available.