Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-55453

libkrad: implement support for Message-Authenticator (CVE-2024-3596) [rhel-7]

    • krb5-1.15.1-55.el7_9.3
    • Yes
    • Important
    • ZStream
    • sst_idm_ipa
    • ssg_idm
    • 8
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Approved Blocker
    • None

      The latest investigations indicate that this problem is caused by the generalization of the Message-Authenticator attribute to sign RADIUS access requests and responses which is part of the mitigation of the BlastRADIUS vulnerability (CVE-2024-3596).

      The mitigation of this vulnerability is part of a larger plan to fix various weaknesses in the RADIUS protocol: draft-ietf-radext-deprecating-radius-03.

      MIT krb5 includes a partial implementation of RADIUS protocol (RFC2865), but has no support for Message-Authenticator. This causes all RADIUS request from the KDC to the RADIUS server to be rejected, which breaks passwordless setups.

      Support for Message-Authenticator has to be implemented in MIT krb5's libkrad to allow the KDC to generate valid access requests.

      Combination of radiusd and ipa-otpd logs:

      (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
      (0)   post-auth {
      (0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
      (0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
      (0)     update {
      (0)       No attributes updated for RHS &session-state:
      (0)     } # update = noop
      (0)     [exec] = noop
      (0)     policy remove_reply_message_if_eap {
      (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
      (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
      (0)       else {
      (0)         [noop] = noop
      (0)       } # else = noop
      (0)     } # policy remove_reply_message_if_eap = noop
      (0)   } # post-auth = noop
      (0) Sent Access-Accept Id 13 from 127.0.0.1:1812 to 127.0.0.1:44619 length 0
      (0) Finished request
      Waking up in 4.9 seconds.
      Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: request received
      Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: user query start
      Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: user query end: uid=tuser,cn=users,cn=accounts,dc=test,dc=ipa
      Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: radius query start: cn=tproxy,cn=radiusproxy,dc=test,dc=ipa
      Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: radius query end: 127.0.0.1
      Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: forward start: tuser / 127.0.0.1
      (0) Sending duplicate reply to client localhost port 44619 - ID: 13
      Waking up in 6.2 seconds.
      (0) Sending duplicate reply to client localhost port 44619 - ID: 13
      Waking up in 12.4 seconds.
      (0) Sending duplicate reply to client localhost port 44619 - ID: 13
      Waking up in 28.7 seconds.
      kinit: Preauthentication failed while getting initial credentials
      Jul 23 10:40:51 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: forward end: Connection timed out
      Jul 23 10:40:51 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: sent: 0 data: 20
      Jul 23 10:40:51 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: ..sent: 20 data: 20
      Jul 23 10:40:51 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: response sent: Access-Reject
      

            abeisemb Anuar Beisembayev
            jrische@redhat.com Julien Rische
            Julien Rische Julien Rische
            Masahiro Matsuya Masahiro Matsuya
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: