CVE-2024-3596 Impact on Privilege Access Manager
search cancel

CVE-2024-3596 Impact on Privilege Access Manager

book

Article ID: 371682

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM) CA Virtual Privilege Manager

Issue/Introduction

Recently, CVE-2024-3596 was released announcing a vulnerability with RADIUS. How is PAM impacted by this vulnerability?

Environment

Any currently supported Privileged Access Manager where the RADIUS integration is implemented will be vulnerable to this exploit.

No supported PAM Server Control and Privileged Identity Manager version is susceptible to the vulnerability.

Cause

The RADIUS client component implemented in PAM contains this vulnerability.

Resolution

Hotfixes 4.1.5.50, 4.1.6.50, and 4.1.7.50 have been published to mitigate the RADIUS vulnerability along with vulnerabilities covered in the July 15th IMS Security Advisory. If an earlier version of PAM is being used in the environment, an upgrade to 4.1.5, 4.1.6, or 4.1.7 may be required as well.

PAM servers with this patch applied will always send Message-Authenticator attribute in all requests to the configured RADIUS servers.

A new configuration option "Require Message-Authenticator in Responses" was added to the  RADIUS Configuration screen in PAM UI, that when checked, will enforce that all responses from RADIUS servers include the Message-Authenticator as the first attribute. For compatibility with not yet patched RADIUS servers this option can be left unchecked.

To download the required hotfix, please go to the PAM Solutions & Patches page on the Broadcom Support site.

Additional Information

For more information about each hotfix, refer to the 4.1.5.50, 4.1.6.50, or 4.1.7.50 Release Notes.

Powered by Wolken Software