This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Does Global Protect RADIUS support Message Authentication? (to mitigate BlastRADIUS 9/10 CVSS vulnerability )

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Does Global Protect RADIUS support Message Authentication? (to mitigate BlastRADIUS 9/10 CVSS vulnerability )

Go to solution
mmason
L1 Bithead

‎07-09-2024 03:24 PM

Does the Global Protect RADIUS implementation support Messaging Authentication?

If not, how quickly will a hotfix to patch this vulnerable implementation of RADIUS be released?

 

Background info:

 

When configuring Global Protect we used RADIUS to integrate RSA Secure ID as a second factor to LDAP, to ensure it took more than just a password to log in, but now it turns out RADIUS was designed to use MD5 hash sums in a way that is inherently insecure as detailed here:  https://www.blastradius.fail/pdf/radius.pdf 

 

RSA Secure ID released a patch which adds a new value to set in the RADIUS server config files (FreeRadius-Client-require-MA = yes), but the support documentation says the RADIUS client needs to support Messaging Authentication. https://community.securid.com/s/article/RSA-Announces-Critical-Security-Updates-for-RSA-ID-Plus-Comp... 

 

GlobalProtect Panorama 

GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
Panorama
Thumbnail of Panorama
Palo Alto Networks
Panorama
Network Security
View on Product Page
0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
emr_1
L5 Sessionator

‎07-09-2024 06:59 PM

Even I'm not sure this is what we are looking at, I found new command on 11.1.3 and above.

I'm not testing anything about it yet and also I'm not researching it on other branches.

 

"set auth radius-require-msg-authentic yes/no" might be answer for us.

 

admin@PA-VM> show system info | match sw-version
sw-version: 11.1.1
admin@PA-VM> set auth ?
* strict-username-check   Use strict username check for user role access

admin@PA-VM> 


admin@PA-VM> show system info | match sw-version
sw-version: 11.1.2
admin@PA-VM> set auth ?
* strict-username-check   Use strict username check for user role access

admin@PA-VM> 


admin@PA-VM> show system info | match sw-version
sw-version: 11.1.3
admin@PA-VM> set auth ?
> radius-require-msg-authentic   Flag to check Message-Authenticator in RADIUS response
> remote-host-check              check remote host (client IP address) during auth redirects
> strict-username-check          Use strict username check for user role access

admin@PA-VM>


 

View solution in original post

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎07-10-2024 03:40 PM

Hello @mmason

 

based on advisory for CVE-2024-3596 the authentication check in RADIUS has been introduced in these versions and newer: PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
emr_1
L5 Sessionator

‎07-09-2024 06:59 PM

Even I'm not sure this is what we are looking at, I found new command on 11.1.3 and above.

I'm not testing anything about it yet and also I'm not researching it on other branches.

 

"set auth radius-require-msg-authentic yes/no" might be answer for us.

 

admin@PA-VM> show system info | match sw-version
sw-version: 11.1.1
admin@PA-VM> set auth ?
* strict-username-check   Use strict username check for user role access

admin@PA-VM> 


admin@PA-VM> show system info | match sw-version
sw-version: 11.1.2
admin@PA-VM> set auth ?
* strict-username-check   Use strict username check for user role access

admin@PA-VM> 


admin@PA-VM> show system info | match sw-version
sw-version: 11.1.3
admin@PA-VM> set auth ?
> radius-require-msg-authentic   Flag to check Message-Authenticator in RADIUS response
> remote-host-check              check remote host (client IP address) during auth redirects
> strict-username-check          Use strict username check for user role access

admin@PA-VM>


 

Go to solution
mmason
L1 Bithead
In response to emr_1

‎07-10-2024 09:14 AM

That looks promising! Will try it out.

 

0 Likes Likes

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎07-10-2024 03:40 PM

Hello @mmason

 

based on advisory for CVE-2024-3596 the authentication check in RADIUS has been introduced in these versions and newer: PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
mmason
L1 Bithead
In response to PavelK

‎07-10-2024 03:43 PM

Thanks for confirming, waiting for our maintenance window to apply 11.1.3 so we can enable this setting, much appreciated!

0 Likes Likes
  • 2 accepted solutions
  • 1048 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks