On 5.9.2024 18.01, Patrik Forsberg via radiator wrote:
Is it possible to move the Message-Authenticator attribute to the very top directly after the attribute header in the respons package back to the requestor ?
This is done by the latest release, Radiator 4.29. The reason for the change is the recent vulnerability in Radius protocol that was made public in July. For more information about Blast-RADIUS, CVE-2024-3596, please see:
https://www.blastradius.fail/ https://radiatorsoftware.com/blastradius-vulnerability-fixed-in-radiator-v4-29/
Asking because I just ran into a device that, for whatever reason, is enforcing that the Message-Authenticator attribute is at the very top after the attribute header and at this point I have a lot of other attributes before Message-Authenticator ..
Hmm, can you let me know what's the device in question? You can reply to me directly too. The position of Message-Authenticator should not matter, even when considering Blast-RADIUS mitigation.
The clients and servers should now add Message-Authenticator as the first attribute which already mitigates the problem. The clients and servers should also have an option to require Message-Authenticator with the applicable messages, but requiring it as the first attribute when receiving a message is unnecessarily strict.
The details of the mitigations and fixes are detailed on the pages linked above.
To summarise: upgrade to Radiator 4.29 and Message-Authenticator is automatically added as the first attribute. Requiring it to be the first attribute when receiving a message sounds like something that the vendor should revise.
Thanks, Heikki -- Heikki Vatiainen Radiator Software, makers of Radiator Visit radiatorsoftware.com for Radiator AAA server software _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
