Does Global Protect RADIUS support Message Authentication? (to mitigate BlastRADIUS 9/10 CVSS vulnerability )

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Does Global Protect RADIUS support Message Authentication? (to mitigate BlastRADIUS 9/10 CVSS vulnerability )

L1 Bithead

Does the Global Protect RADIUS implementation support Messaging Authentication?

If not, how quickly will a hotfix to patch this vulnerable implementation of RADIUS be released?

 

Background info:

 

When configuring Global Protect we used RADIUS to integrate RSA Secure ID as a second factor to LDAP, to ensure it took more than just a password to log in, but now it turns out RADIUS was designed to use MD5 hash sums in a way that is inherently insecure as detailed here:  https://www.blastradius.fail/pdf/radius.pdf 

 

RSA Secure ID released a patch which adds a new value to set in the RADIUS server config files (FreeRadius-Client-require-MA = yes), but the support documentation says the RADIUS client needs to support Messaging Authentication. https://community.securid.com/s/article/RSA-Announces-Critical-Security-Updates-for-RSA-ID-Plus-Comp... 

 

GlobalProtect Panorama 

2 accepted solutions

Accepted Solutions

L5 Sessionator

Even I'm not sure this is what we are looking at, I found new command on 11.1.3 and above.

I'm not testing anything about it yet and also I'm not researching it on other branches.

 

"set auth radius-require-msg-authentic yes/no" might be answer for us.

 

admin@PA-VM> show system info | match sw-version
sw-version: 11.1.1
admin@PA-VM> set auth ?
* strict-username-check   Use strict username check for user role access

admin@PA-VM> 


admin@PA-VM> show system info | match sw-version
sw-version: 11.1.2
admin@PA-VM> set auth ?
* strict-username-check   Use strict username check for user role access

admin@PA-VM> 


admin@PA-VM> show system info | match sw-version
sw-version: 11.1.3
admin@PA-VM> set auth ?
> radius-require-msg-authentic   Flag to check Message-Authenticator in RADIUS response
> remote-host-check              check remote host (client IP address) during auth redirects
> strict-username-check          Use strict username check for user role access

admin@PA-VM> 


 

View solution in original post

Cyber Elite
Cyber Elite

Hello @mmason

 

based on advisory for CVE-2024-3596 the authentication check in RADIUS has been introduced in these versions and newer: PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

6 REPLIES 6

L5 Sessionator

Even I'm not sure this is what we are looking at, I found new command on 11.1.3 and above.

I'm not testing anything about it yet and also I'm not researching it on other branches.

 

"set auth radius-require-msg-authentic yes/no" might be answer for us.

 

admin@PA-VM> show system info | match sw-version
sw-version: 11.1.1
admin@PA-VM> set auth ?
* strict-username-check   Use strict username check for user role access

admin@PA-VM> 


admin@PA-VM> show system info | match sw-version
sw-version: 11.1.2
admin@PA-VM> set auth ?
* strict-username-check   Use strict username check for user role access

admin@PA-VM> 


admin@PA-VM> show system info | match sw-version
sw-version: 11.1.3
admin@PA-VM> set auth ?
> radius-require-msg-authentic   Flag to check Message-Authenticator in RADIUS response
> remote-host-check              check remote host (client IP address) during auth redirects
> strict-username-check          Use strict username check for user role access

admin@PA-VM> 


 

That looks promising! Will try it out.

 

Cyber Elite
Cyber Elite

Hello @mmason

 

based on advisory for CVE-2024-3596 the authentication check in RADIUS has been introduced in these versions and newer: PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thanks for confirming, waiting for our maintenance window to apply 11.1.3 so we can enable this setting, much appreciated!

L1 Bithead

I ran this command on a PA-5430 with 11.1.3-h4 installed.  I set it to yes to require message authentication and ran the show command to see if it was accepted but I got no output. As a result, the connection to my RADIUS server is still broken until I find a workaround. 

re: no output:  Same experience on 10.2.10-h1 and 11.2.0

On the API, when set to yes or no, response is the same.  Missing CDATA.  I'll be opening a ticket with PA to check on this today.

<show><auth><radius-require-msg-authentic></radius-require-msg-authentic></auth></show>

<response status="success">
<result>
<![CDATA[ ]]>
</result>
</response>
-------------------------------------------
Edit/Add:  PA noted it the lack of display is a bug.  Can be gathered through one of the three methods currently

Verified the sdb variable is set to True from TSF at location <tsffile>\tmp\cli\logs\sdb.txt
cfg.auth.radius-require-msg-authentic: True

you can verify the same from CLI using the command
> show system state | match cfg.auth.radius-require-msg-authentic

API command below:
https://<firewall>/api/?type=op&cmd=<show><system><state><filter>cfg.auth.radius-require-msg-authent...
  • 2 accepted solutions
  • 2466 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!