Accel PPP Inc
blastRADIUS vulnerability. #213
Asterix101
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi.
After upgrade freeradius on Centos 9 from version 3.0.21-41 to 3.0.21-42 accel-ppp stops authenticate all users. I noticed that the freeradius does not work.
I started freeradius in debug mode and I saw below banner:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BlastRADIUS check: Received packet without Proxy-State.
Setting "limit_proxy_state = true" for client NAS-pppoe
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The packet does not contain Message-Authenticator, which is a security issue.
UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
Once the client is upgraded, set "require_message_authenticator = true" for client NAS-pppoe
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I changed specified options in clients.conf but freeradius not works with accel-ppp. I've got below messages:
Packet does not contain required Message-Authenticator attribute. You may need to set "require_message_authenticator = no" in the configuration.
When I set option require_message_authenticator = no, freeradius crashed with core-dump, because patch for blastRADIUS is mandatory now.
I downgraded freeradius, but it is not good idea.
Beta Was this translation helpful? Give feedback.
All reactions