freeradius CVE-2024-3596 enhancement

The new `pam_radius` has supportg to check the `Message-Authenticator`: * https://github.com/FreeRADIUS/pam_radius/commits/master/ See also issue: * https://support.netknights.it/#ticket/zoom/4421
privacyidea · Jul 18, 2024 · 86513c0 · 86513c0
1 parent 06e8bc6
commit 86513c0
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/privacyidea_radius.pm b/privacyidea_radius.pm
@@ -441,6 +441,12 @@ sub authenticate {
     } elsif ( $Config->{ADD_EMPTY_PASS} =~ /true/i ) {
         $params{"pass"} = "";
     }
+
+    # Security enhancement sned Message-Authenticator back
+    if ( exists( $RAD_REQUEST{'Message-Authenticator'} )) {
+        $RAD_REPLY{'Message-Authenticator'} = $RAD_REQUEST{'Message-Authenticator'};
+    }
+
     # URL encode username and password
     my $uri = URI::Encode->new( { encode_reserved => 0 } );
     $params{"user"} = $uri->encode($params{"user"});