07-09-2024 03:24 PM
Does the Global Protect RADIUS implementation support Messaging Authentication?
If not, how quickly will a hotfix to patch this vulnerable implementation of RADIUS be released?
Background info:
When configuring Global Protect we used RADIUS to integrate RSA Secure ID as a second factor to LDAP, to ensure it took more than just a password to log in, but now it turns out RADIUS was designed to use MD5 hash sums in a way that is inherently insecure as detailed here: https://www.blastradius.fail/pdf/radius.pdf
RSA Secure ID released a patch which adds a new value to set in the RADIUS server config files (FreeRadius-Client-require-MA = yes), but the support documentation says the RADIUS client needs to support Messaging Authentication. https://community.securid.com/s/article/RSA-Announces-Critical-Security-Updates-for-RSA-ID-Plus-Comp...
07-09-2024 06:59 PM
Even I'm not sure this is what we are looking at, I found new command on 11.1.3 and above.
I'm not testing anything about it yet and also I'm not researching it on other branches.
"set auth radius-require-msg-authentic yes/no" might be answer for us.
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.1
admin@PA-VM> set auth ?
* strict-username-check Use strict username check for user role access
admin@PA-VM>
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.2
admin@PA-VM> set auth ?
* strict-username-check Use strict username check for user role access
admin@PA-VM>
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.3
admin@PA-VM> set auth ?
> radius-require-msg-authentic Flag to check Message-Authenticator in RADIUS response
> remote-host-check check remote host (client IP address) during auth redirects
> strict-username-check Use strict username check for user role access
admin@PA-VM>
07-10-2024 03:40 PM
Hello @mmason
based on advisory for CVE-2024-3596 the authentication check in RADIUS has been introduced in these versions and newer: PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3.
Kind Regards
Pavel
07-09-2024 06:59 PM
Even I'm not sure this is what we are looking at, I found new command on 11.1.3 and above.
I'm not testing anything about it yet and also I'm not researching it on other branches.
"set auth radius-require-msg-authentic yes/no" might be answer for us.
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.1
admin@PA-VM> set auth ?
* strict-username-check Use strict username check for user role access
admin@PA-VM>
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.2
admin@PA-VM> set auth ?
* strict-username-check Use strict username check for user role access
admin@PA-VM>
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.3
admin@PA-VM> set auth ?
> radius-require-msg-authentic Flag to check Message-Authenticator in RADIUS response
> remote-host-check check remote host (client IP address) during auth redirects
> strict-username-check Use strict username check for user role access
admin@PA-VM>
07-10-2024 09:14 AM
That looks promising! Will try it out.
07-10-2024 03:40 PM
Hello @mmason
based on advisory for CVE-2024-3596 the authentication check in RADIUS has been introduced in these versions and newer: PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3.
Kind Regards
Pavel
07-10-2024 03:43 PM
Thanks for confirming, waiting for our maintenance window to apply 11.1.3 so we can enable this setting, much appreciated!
08-14-2024 04:55 PM
I ran this command on a PA-5430 with 11.1.3-h4 installed. I set it to yes to require message authentication and ran the show command to see if it was accepted but I got no output. As a result, the connection to my RADIUS server is still broken until I find a workaround.
09-10-2024 05:09 AM - edited 09-10-2024 06:40 AM
re: no output: Same experience on 10.2.10-h1 and 11.2.0
On the API, when set to yes or no, response is the same. Missing CDATA. I'll be opening a ticket with PA to check on this today.
<show><auth><radius-require-msg-authentic></radius-require-msg-authentic></auth></show>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
