RADIUS protocol vulnerability advisory for Symantec VIP
search cancel

RADIUS protocol vulnerability advisory for Symantec VIP

book

Article ID: 371735

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

A high-severity vulnerability found within the RADIUS protocol affects the Symantec VIP Enterprise Gateway product.
 
What is the vulnerability?
The RADIUS protocol has a critical issue that impacts RADIUS transport over insecure networks, particularly using RADIUS over UDP or TCP.
This problem enables a man-in-the-middle attacker to forge a valid Access-Reject response to a client request that the RADIUS server has denied. In other words, the attacker can change an Access-Reject to an Access-Accept by using a malicious proxy state and altering the contents. As a result, the attacker can access protected resources and devices for which the RADIUS client authenticates.

Environment

What VIP components are affected?

The following VIP components use RADIUS and are affected:

  • VIP Enterprise Gateway, all versions
  • VIP plugin for AD FS
  • VIP plugin for Epic Hyperdrive\Hyperspace
  • VIP plugin for IIS
  • VIP plugin for Microsoft Credential Provider
How does the patch resolve the RADIUS Vulnerability CVE-2024-3596?
  • VIP plugins patch: Adds the Message-Authenticator attribute to outgoing RADIUS packets sent to VIP Enterprise Gateway, and validates the Message-Authenticator attribute in the response.
  • VIP Enterprise Gateway patch: Validate the Message-Authenticator attribute in incoming RADIUS packets, and drop the packet if the attribute is missing or invalid. Additionally, add the Message-Authenticator attribute to outbound RADIUS packets. (A 'compatible' option is included to bypass packing dropping for violations. See details below. Outgoing RADIUS packets will always include the Message-Authenticator attribute.) 

Cause

Resolution

VIP PLUGIN (Microsoft Credential Provider plugin only)

  • Patch the Enterprise Gateway(s) before applying this patch. 
  • Log into VIP Manager
  • Navigate to Account > Download Files > Third Party Integrations > Radius Vulnerability Patch
  • Download VIP_EG_MCP_PLUGIN_Radius_Vulnerability_CVE-2024-3596.zip and VIP_EG_MCP_PLUGIN_Radius_Vulnerability_CVE-2024-3596_Readme.docx
  • Follow the instructions in VIP_EG_MCP_PLUGIN_Radius_Vulnerability_CVE-2024-3596_Readme.docx to apply the patch.

VIP PLUGINS (all other affected plugins)

  • Patch the Enterprise Gateway(s) before applying this patch. 
  • Log into VIP Manager
  • Navigate to Account > Download Files > Third Party Integrations > Radius Vulnerability Patch. 
  • Download VIP_EG_PLUGINS_Radius_Vulnerability_CVE-2024-3596.zip and VIP_EG_PLUGINS_Radius_Vulnerability_CVE-2024-3596_Readme.docx
  • Follow the instructions in VIP_EG_PLUGINS_Radius_Vulnerability_CVE-2024-3596_Readme.docx to apply the patch. 

VIP ENTERPRISE GATEWAY 9.9.x, 9.10.x, 9.11.x

  • Upgrade to Enterprise Gateway 9.9.x before applying this patch. 
  • Download the attached patch that matches the version of VIP Enterprise Gateway. Alternately, download the patch from VIP Manager > Account > Download Files > Enterprise Gateway > [EGW Version]
  • Download VIP_<EGW_Version>_Radius_Vulnerability_CVE-2024-3596.zip

WINDOWS:

Test in your lab before implementing in a production environment:

  1. Download the attached ZIP file and extract the contents to a temporary location  (ex: c:\temp).
  2. Stop all the VIP Enterprise Gateway validation servers and VIP Enterprise Gateway service.
  3. Delete the contents of <EGW Installation folder>\server\work. Do not delete the work folder. 
  4. Make a backup of the following files.

    <EGW Installation folder>\Validation\bin\*
    <EGW Installation folder>\Validation\modulesspec\VIPEGServerSpec.spec
    <EGW Installation folder>\server\webapps\vipconsole.war
    <EGW Installation folder>\tools\vsradiusclient_test.exe
    <EGW Installation folder>\version.txt

  5. From the temporary directory where you extracted the ZIP file contents:
    1. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596\Windows\Validation\bin\* to the <EGW Installation folder>\Validation\bin\
    2. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596\Windows\Validation/modulesspec/VIPEGServerSpec.spec to <EGW Installation folder>\Validation\modulesspec\
    3. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596\Windows\server\webapps\vipconsole.war to <EGW Installation folder>\ server\webapps\
    4. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596\Windows\tools\vsradiusclient_test.exe to <EGW Installation folder>\tools\
    5. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596\Windows\version.txt to <EGW Installation folder>\

  6. Start the VIP Enterprise Gateway service. Log into the VIP EG console and start the validation servers.
  7. Note: A new option will appear in the Validation Server settings. See below for details.

LINUX: 

Test in your lab before implementing in a production environment:

  1. Download the attached ZIP file and extract the contents to a temporary location (/opt/tmp/).
  2. Stop all the validation servers and the VIP Enterprise Gateway service.
  3. Delete the content of <EGW Installation folder>/server/work. Do not delete the work folder.
  4. Make a backup of the following files:

    <EGW Installation folder>/Validation/bin/*
    <EGW Installation folder>/Validation/modulesspec/VIPEGServerSpec.spec
    <EGW Installation folder>/server/webapps/vipconsole.war
    <EGW Installation folder>/tools/vsradiusclient_test
    <EGW Installation folder>/version.txt

  5. From the temporary directory where you extracted the ZIP file contents:
    1. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596/Linux/Validation/bin/* to <EGW Installation folder>/Validation/bin/
    2. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596/Linux/V/alidation/modulesspec/VIPEGServerSpec.spec to <EGW Installation folder>/Validation/modulesspec/
    3. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596/Linux/server/webapps/vipconsole.war to <EGW Installation folder>/ server/webapps/
    4. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596/Linux/tools/ vsradiusclient_test to <EGW Installation folder>/tools/
    5. Copy VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596/Linux/version.txt to <EGW Installation folder>/
    6. Start VIP Enterprise Gateway service. Log into the VIP EG console and start the validation servers.
    7. Note: A new option will appear in the Validation Server settings. See below.

 

2 options will appear in the Validation Server settings: compatible and compliant:

 

  • COMPATIBLE MODE (default): If an incoming RADIUS request contains the Message-Authenticator attribute, the transaction is verified\signed and a Message-Authenticator attribute is included in the RADIUS response. If the Message-Authenticator attribute is missing, the transaction is still processed with the Message-Authenticator attribute in the RADIUS response. 
  • COMPLIANT MODE: Incoming RADIUS requests from the client to the validation server must contain the Message-Authenticator attribute. If not, the validation server silently discards the request. If present, the transaction is verified\signed and a Message-Authenticator attribute is sent in the RADIUS response. 



Additional Information

What is the RADIUS Message-Authenticator attribute? 

Message-Authenticator is a Type 80 RADIUS attribute that provides integrity and authenticity to RADIUS flows between the RADIUS client and server to prevent spoofing. This attribute value is an HMAC-MD5 digest (Type, Identifier, Length, Request Authenticator, Attributes) of the entire RADIUS packet with the RADIUS shared secret as the key.

To address the vulnerability, the Message-Authenticator transactions are reciprocal:

  • The RADIUS client includes this attribute as the first value in the RADIUS packet en route to the RADIUS server (VIP Validation Server).
  • The RADIUS server (VIP Validation Server) verifies the attribute, processes the transaction, and responds with the Message-Authenticator attribute as the first value in the RADIUS packet. 

When both the client and server are properly patched, the received RADIUS packet will be discarded if the Message-Authenticator attribute is missing, 

Considerations when applying the VIP EGW patch

The key to a successful upgrade will be to assess the applications (RADIUS clients) that rely upon VIP Enterprise Gateway (RADIUS server). Ideally, these clients are robust applications that fail gracefully when they receive unfamiliar\invalid input. These need not be considered further after they're upgraded to use the Message-Authenticator attribute.

Some 'fragile' applications may be unfamiliar with the Message-Authenticator data. They fall into 2 categories:

  • Legacy apps with no tolerance for receiving the Message-Authenticator attribute. These fail when processing, process it incorrectly, or enter a faulty state. 
  • Apps that fault when they don’t receive the Message-Authenticator attribute in RADIUS replies: “Modern preference”.

The Enterprise Gateway can’t tell the difference between robust and fragile -- this requires testing. 

A pre-patched VIP Enterprise Gateway will handle either format and produce responses without the Message-Authenticator attribute.

A post-patched VIP Enterprise Gateway will handle either format and produce consistent responses with the Message-Authenticator attribute.

If you find during testing that any of your apps cannot process one way or the other, the pre- or post-patch VIP Enterprise Gateway is there to assist in the migration.  

More specifically, client apps should be upgraded before applying the VIP Enterprise Gateway patch (and continue to receive handling from a pre-patch VIP Enterprise Gateway).  Any “Modern preference” apps should be upgraded after VIP EnterpriseGateway.

In the unlikely event that an app falls in both categories, it will need to rely upon one VIP Enterprise Gateway (pre-patched) before its migration and a separate (patched) one after the migration, Here, a configuration change in the middle will be necessary.

In summary, thorough testing of the RADIUS client applications that use VIP Enterprise Gateway is essential.  While problems in this area are generally unlikely, the outline of tests above should help avoid a production-down situation.

IMPORTANT NOTE: If the patch has been applied to 9.9.x or 9.10.x and you later upgrade to a newer version of the VIP Enterprise Gateway, you will need to apply the patch for that version. For example, if you are currently on 9.9.2, have applied the patch for 9.9.2, and later upgrade to 9.11, you will also need to apply the 9.11 version of the patch after upgrading.



Attachments

VIP_EG9_9_1_Radius_Vulnerability_CVE-2024-3596.zip get_app
VIP_EG9_9_2_Radius_Vulnerability_CVE-2024-3596.zip get_app
VIP_EG9_9_0_Radius_Vulnerability_CVE-2024-3596.zip get_app
VIP_EG9_10_0_Radius_Vulnerability_CVE-2024-3596.zip get_app
VIP_EG9_10_1_Radius_Vulnerability_CVE-2024-3596.zip get_app
VIP_EG9_10_2_Radius_Vulnerability_CVE-2024-3596.zip get_app
VIP_EG9_10_3_Radius_Vulnerability_CVE-2024-3596.zip get_app
VIP_EG9_11_Radius_Vulnerability_CVE-2024-3596.zip get_app
Powered by Wolken Software