Janfred
commented
3 months ago Since it was pointed out to me (sorry for not seeing it earlier):
pyrad supports Message-Authenticator (via methods add_message_authenticator and verify_message_authenticator).
Nonetheless, at least in outgoing RADIUS packets there should always be a Message-Authenticator attribute included by default, and all examples should include the verify_message_authenticator method.
If I see it correctly, pyrad does not support the Message-Authenticator attribute.
This is a serious security problem, since an attacker can modify the RADIUS Requests freely and generate a RADIUS Response.
As far as I can see, this affects only the RADIUS Client implementation, since the RADIUS Server implementation is not standard-compliant to RFC2865. It appears not to mirror back the Proxy-State attribute, which would be required by RFC2865.
See blastradius.fail for more information.