MGASA-2024-0264 - Updated freeradius packages fix security vulnerability

Publication date: 14 Jul 2024
URL: https://advisories.mageia.org/MGASA-2024-0264.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2024-3596

This vulnerability allows an attacker performing a meddler-in-the-middle
attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to
bypass authentication and escalate privileges to ‘superuser’ when RADIUS
authentication is in use and either CHAP or PAP is selected in the
RADIUS server profile.
CHAP and PAP are protocols with no Transport Layer Security (TLS), and
hence vulnerable to meddler-in-the-middle attacks. Neither protocol
should be used unless they are encapsulated by an encrypted tunnel. If
they are in use, but are encapsulated within a TLS tunnel, they are not
vulnerable to this attack.
For additional information regarding this vulnerability, please see
https://blastradius.fail.
Note: these two lines are added upstream in the default radiusd.conf
file:
"""
require_message_authenticator = auto
limit_proxy_state = auto
"""

References:
- https://bugs.mageia.org/show_bug.cgi?id=33388
- https://www.freeradius.org/security/
- https://www.openwall.com/lists/oss-security/2024/07/09/4
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3596

SRPMS:
- 9/core/freeradius-3.0.27-1.mga9