Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CVE-2024-3596 blast-radius

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 289 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      henniee
      last edited by

      Is there a patch comming fixing CVE-2024-3596?

      M 1 Reply Last reply Reply Quote 0
      • M
        mcury Rebel Alliance @henniee
        last edited by

        @henniee

        You don't need to worry if:
        1- you are using EAP authentication (e.g. IPsec, 802.11x) which is not affected.
        2- if the traffic never leaves the firewall (FreeRADIUS server on pfSense software, NAS/Client is on the same device)

        For the time being, you can set this in your radius.conf, but note that this may bring issues depending on your NAS devices freeradius implementation.

        require_message_authenticator = yes
limit_proxy_state = yes

        Note current best practices dictate protecting RADIUS traffic by tunneling or limiting network access (e.g. using a private/secure link for RADIUS) which also limits potential exposure.

        You can get more details in the following links:

        https://www.freeradius.org/security/
        https://www.inkbridgenetworks.com/blastradius/faq

        To report vulnerabilities, go to https://www.netgate.com/security

        This is not an official answer from Netgate or from freeradius, I'm just a regular user.

        dead on arrival, nowhere to be found.

        1 Reply Last reply Reply Quote 2
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.