Security Advisories

The discovered vulenerability in the RADIUS protocol called Blast-RADIUS affects Radius and iPass authentication on the IACBOX.

Who is affected?
Only systems with activated external authentication method Radius or iPass are affected as plain Radius (without EAP) is in use.
- Note that Radius can also be used as authentication method for WebAdmin logins which is also affected.
- Radius as part of 802.1x is not affected as EAP should always be in use there.

There's a possible MITM attack that can change a denied authentication into a successful authentication.
The attacker needs to craft a matching MD5-HMAC within the clients timeout, so this needs resources and time, so this is not easy to exploit.

Changes
- From now on Radius requests always have the Message-Authenticator attribute set
- There's a new Radius setting in WebAdmin under Login Methods -> External Authentication -> Radius: Force Message Authenticationwhich checks if a Radius response has the attribute Message-Authenticator.
This new option has to be switched on manually as it's maybe not backwards compatible with your Radius server that does not send this attribute.

Further Information
See the blastradius.fail page for more details