[RADIATOR] move Message-Authenticator to the top ?

Fri Sep 6 15:46:43 UTC 2024

On 5.9.2024 18.01, Patrik Forsberg via radiator wrote:

> Is it possible to move the Message-Authenticator attribute to the very 
> top directly after the attribute header in the respons package back to 
> the requestor ?

This is done by the latest release, Radiator 4.29. The reason for the 
change is the recent vulnerability in Radius protocol that was made 
public in July. For more information about Blast-RADIUS, CVE-2024-3596, 
please see:

  https://www.blastradius.fail/
  https://radiatorsoftware.com/blastradius-vulnerability-fixed-in-radiator-v4-29/

> Asking because I just ran into a device that, for whatever reason, is 
> enforcing that the Message-Authenticator attribute is at the very top 
> after the attribute header and at this point I have a lot of other 
> attributes before Message-Authenticator ..

Hmm, can you let me know what's the device in question? You can reply to 
me directly too. The position of Message-Authenticator should not 
matter, even when considering Blast-RADIUS mitigation.

The clients and servers should now add Message-Authenticator as the 
first attribute which already mitigates the problem. The clients and 
servers should also have an option to require Message-Authenticator with 
the applicable messages, but requiring it as the first attribute when 
receiving a message is unnecessarily strict.

The details of the mitigations and fixes are detailed on the pages 
linked above.

To summarise: upgrade to Radiator 4.29 and Message-Authenticator is 
automatically added as the first attribute. Requiring it to be the first 
attribute when receiving a message sounds like something that the vendor 
should revise.

Thanks,
Heikki

-- 
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software