-
Bug
-
Resolution: Done-Errata
-
Critical
-
rhel-7.9.z
-
krb5-1.15.1-55.el7_9.3
-
Yes
-
Important
-
ZStream
-
rhel-sst-idm-ipa
-
ssg_idm
-
8
-
False
-
-
None
-
None
-
Approved Blocker
-
Pass
-
Automated
-
None
The latest investigations indicate that this problem is caused by the generalization of the Message-Authenticator attribute to sign RADIUS access requests and responses which is part of the mitigation of the BlastRADIUS vulnerability (CVE-2024-3596).
The mitigation of this vulnerability is part of a larger plan to fix various weaknesses in the RADIUS protocol: draft-ietf-radext-deprecating-radius-03.
MIT krb5 includes a partial implementation of RADIUS protocol (RFC2865), but has no support for Message-Authenticator. This causes all RADIUS request from the KDC to the RADIUS server to be rejected, which breaks passwordless setups.
Support for Message-Authenticator has to be implemented in MIT krb5's libkrad to allow the KDC to generate valid access requests.
Combination of radiusd and ipa-otpd logs:
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 13 from 127.0.0.1:1812 to 127.0.0.1:44619 length 0 (0) Finished request Waking up in 4.9 seconds. Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: request received Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: user query start Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: user query end: uid=tuser,cn=users,cn=accounts,dc=test,dc=ipa Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: radius query start: cn=tproxy,cn=radiusproxy,dc=test,dc=ipa Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: radius query end: 127.0.0.1 Jul 23 10:40:36 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: forward start: tuser / 127.0.0.1 (0) Sending duplicate reply to client localhost port 44619 - ID: 13 Waking up in 6.2 seconds. (0) Sending duplicate reply to client localhost port 44619 - ID: 13 Waking up in 12.4 seconds. (0) Sending duplicate reply to client localhost port 44619 - ID: 13 Waking up in 28.7 seconds. kinit: Preauthentication failed while getting initial credentials Jul 23 10:40:51 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: forward end: Connection timed out Jul 23 10:40:51 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: sent: 0 data: 20 Jul 23 10:40:51 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: ..sent: 20 data: 20 Jul 23 10:40:51 master.test.ipa ipa-otpd[20230]: tuser@TEST.IPA: response sent: Access-Reject
- clones
-
RHEL-50253 libkrad: implement support for Message-Authenticator (CVE-2024-3596) [rhel-8]
- Closed
- links to
-
RHSA-2024:140917 krb5 security update