Professional Documents
Culture Documents
This Week In Security_ Blast-RADIUS, Gitlab, And Plormbing _ Hackaday
This Week In Security_ Blast-RADIUS, Gitlab, And Plormbing _ Hackaday
This Week In Security_ Blast-RADIUS, Gitlab, And Plormbing _ Hackaday
The RADIUS authentication scheme, short for “Remote Authentication Dial-In User
Service”, has been widely deployed for user authentication in all sorts of scenarios. It’s
a bit odd, in that individual users authenticate to a “RADIUS Client”, sometimes called
a Network Access Server (NAS). In response to an authentication request, a NAS
packages up the authentication details, and sends it to a central RADIUS server for
verification. The server then sends back a judgement on the authentication request,
and if successful the user is authenticated to the NAS/client.
The scheme
By using was
our website andupdated
services, youto its current
expressly agree toform in 1994,
the placement back
of our when MD5
performance, was and
functionality considered
advertising cookies. Learn more
a cryptographically good hash. It’s been demonstrated that MD5 has problems, most OK
notably a chosen-prefix collision attack demonstrated in 2007. The basis of this
collision attack is that given two arbitrary messages, it is possible to find a pair of
values that, when appended to the end of those messages, result in matching md5
hashes for each combined message. It turns out this is directly applicable to RADIUS.
The attack is a man-in-the-middle, but not against an authenticating user. This attack is
a man-in-the-middle between the NAS and the RADIUS server, and a real user isn’t
even required. This elevated position does make an attack harder to achieve in some
cases, but situations like RADIUS providing authentication for administrative access to
a device is squarely in scope. Wrapping the RADIUS backend communications in a
TLS layer does protect against the attack.
GITLAB
It’s once again time to go update your Gitlab instances, and this one sounds familiar.
It’s another issue where an attacker could run pipeline jobs as an arbitrary user. This
comes as one more of a series of problems in Gitlab, with at least one of them being
exploited in the wild. It’s not surprising to see a high-visibility vulnerability leading to
the discovery of several more similar problems. With this latest issue being so similar
to the previous pipeline problem, it’s possible that it’s actually an incomplete patch or
additional workaround discovered to exploit the same issue.
EXIM
There’s a bug in the Exim email server, that impacts the processing of attachment
blocking rules. Specifically, the filename in the email header is broken into multiple
parts, with some confusing extra bytes in between. It’s technically compliant with the
right RFC, but Exim’s mime handling code gets confused, and misses the right
message name.
Exim server can be configured to block certain file types, and this vulnerability allows
those blocked attachments through. The original CVSS of 9.1 is a tad insane. The latest
update drops that to a 5.4, which seems much more appropriate.
By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK
This brings us to a second approach, a time-based data leak. Here a SQL query will
execute slowly or quickly depending on the data in the database. The plormber tool is
designed to easily build attempts at time-based leaks. Hence the pun. If you have a
leak in your ORM, call a plORMber. *sigh*
A very odd file extension, .pdf.url , manages to appear as a pdf file with the
appropriate icon, and yet opens IE when executed. This finally got classified by
Microsoft as a vulnerability and fixed.
One of the security barriers that most of us rely on is that traffic originating from the
WAN side of the router should stay there. When that paradigm breaks down, we have
problems. And that’s exactly what the folks at Claroty are working to defeat. The trick
this time is a vulnerability in a router’s Dynamic DNS service. Manage to spoof a DNS
lookup or MitM that connection, and suddenly it’s RCE on the router.
And finally, we’ve covered a pair of outstanding stories this week here at Hackaday.
You should go read about how Ticketmaster’s app was reverse engineered, followed
by a brilliant and completely impractical scheme to get your Internet connection for
free while flying.
By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK
Posted in Hackaday Columns, News, Security Hacks
Tagged Blast RADIUS, RegreSSHion, This Week in Security
← DIY SPACER INCREASES FDM FLOW RATE FOR FASTER, BETTER PRINTING
Leave a Reply
Please be kind and respectful to help make the comments section excellent.
(Comment Policy)
This site uses Akismet to reduce spam. Learn how your comment data is processed.
SEARCH
Search … SEARCH
SUBSCRIBE
By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies.
Enter Email Learn more
Address SUBSCRIBE OK
IF YOU MISSED IT
EMBEDDED PYTHON: MICROPYTHON IS AMAZING
67 Comments
13 Comments
3 Comments
78 Comments
32 Comments
By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK
OUR COLUMNS
HACKADAY PODCAST EPISODE 279: SOLAR FLARES,
FLASH CELLS, AND FREE AIRLINE WIFI
No comments
No comments
1 Comment
12 Comments
2 Comments
By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK
More from this category
Copyright © 2024 | Hackaday, Hack A Day, and the Skull and Wrenches Logo are Trademarks of Hackaday.com |
Privacy Policy | Terms of Service | Digital Services Act
Powered by WordPress VIP
By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK