CA API Gateway RADIUS Vulnerability (CVE-2024-3596)
search cancel

CA API Gateway RADIUS Vulnerability (CVE-2024-3596)

book

Article ID: 371466

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

A high severity vulnerability found within the Radius protocol which the CA API Gateway can use in some instances.

 

What is the vulnerability?

The RADIUS protocol has a critical issue that impacts RADIUS transport over insecure networks, particularly using RADIUS over UDP or TCP.

This problem enables a man-in-the-middle attacker to forge a valid Access-Reject response to a client request that the RADIUS server has denied. In other words, the attacker can change an Access-Reject to an Access-Accept by using a malicious proxy state and altering the contents. As a result, the attacker can access protected resources and devices for which the RADIUS client authenticates.

 

How is the gateway affected?

Two areas of the APIM Gateway are potentially affected:

  1. Authenticate Against Radius Server Assertion

   - Affected: Authenticate Against Radius Server assertion with Authentication Protocols PAP, CHAP and MS-CHAP*

   - Unaffected: Authenticate Against Radius Server assertion with Authentication Protocols EAP*

 

  1. SSH login to Gateway VM with RADIUS/RADIUS+LDAP Authentication Scheme

   -  Gateway 11.0: No impact (RADIUS/RADIUS+LDAP Authentication Schemes are disabled)

   -  Gateway 11.1: This concerns whoever configures the RADIUS or RADIUS+LDAP Authentication Scheme for SSH login to the Gateway.

Environment

CA API Gateway 11.x

Resolution

How to mitigate?

1. Authenticate Against Radius Server Assertion

The gateway acts as a RADIUS client.  According to RFC 3579 (https://datatracker.ietf.org/doc/html/rfc3579#section-3.2), when the Authentication Protocol is EAP*, the client is required to send and verify a Message-Authenticator attribute. We recommend that customers use the "Authenticate Against Radius Server" assertion with Authentication Protocols EAP* as noted in our documentation.

 

2. SSH login to Gateway VM with RADIUS/RADIUS+LDAP Authentication Scheme

We are advising customers to use alternative authentication methods to the gateway at this time.

We have created the following patch for gateway 11.1 : Layer7_API_SSG_Platform_Update_64bit_v11.1.1-1630-Debian.L7P

You can download the patch here.

 

Applying this patch is optional and the vulnerability can be mitigated by simply configuring another authentication method other then Radius/Radius+LDAP.

Once this patch is applied RADIUS/RADIUS+LDAP authentication via ssh to the gateway will be disabled.

 

For further details on how you can disable/enable Radius/LDAP+Radius authentication once the patch is applied please review our documentation.

 

 

Additional Information

Please note that the CA API Developer Portal and CA Mobile API Gateway are not impacted by this vulnerability as they do not make use of RADIUS.

Powered by Wolken Software