Accel PPP Inc
blastRADIUS vulnerability. #213
Asterix101
started this conversation in
General
Replies: 1 comment
-
|
Hi, #245 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi.
After upgrade freeradius on Centos 9 from version 3.0.21-41 to 3.0.21-42 accel-ppp stops authenticate all users. I noticed that the freeradius does not work.
I started freeradius in debug mode and I saw below banner:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BlastRADIUS check: Received packet without Proxy-State.
Setting "limit_proxy_state = true" for client NAS-pppoe
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The packet does not contain Message-Authenticator, which is a security issue.
UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
Once the client is upgraded, set "require_message_authenticator = true" for client NAS-pppoe
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I changed specified options in clients.conf but freeradius not works with accel-ppp. I've got below messages:
Packet does not contain required Message-Authenticator attribute. You may need to set "require_message_authenticator = no" in the configuration.
When I set option require_message_authenticator = no, freeradius crashed with core-dump, because patch for blastRADIUS is mandatory now.
I downgraded freeradius, but it is not good idea.
Beta Was this translation helpful? Give feedback.
All reactions