Radius protocol vulnerability advisory for Strong Authentication

search cancel

Radius protocol vulnerability advisory for Strong Authentication

book

Article ID: 371742

calendar_today

Updated On: 02-28-2025

Products

CA Strong Authentication CA Advanced Authentication CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)

Issue/Introduction

A high severity vulnerability found within the Radius protocol which affects the Symantec Strong Authentication product.

What is the vulnerability?
The RADIUS protocol has a critical issue that impacts RADIUS transport over insecure networks, particularly using RADIUS over UDP or TCP.
This problem enables a man-in-the-middle attacker to forge a valid Access-Reject response to a client request that the RADIUS server has denied. In other words, the attacker can change an Access-Reject to an Access-Accept by using a malicious proxy state and altering the contents. As a result, the attacker can access protected resources and devices for which the RADIUS client authenticates.

Environment

All supported Strong Authentication Version ( 9.1.x)

Symantec Advanced Authentication

Cause

https://www.cve.org/CVERecord?id=CVE-2024-3596

NIST URL for CVE-2024-3596 - https://nvd.nist.gov/vuln/detail/CVE-2024-3596)

Resolution

To prevent spoofing attacks, we need to implement Message-Authenticator Attribute in radius flows. The Message-Authenticator attribute provides Integrity and authenticity for radius flows.

Message-Authenticator is a radius attribute with Type 80, This attribute value should be the HMAC-MD5 digest of the entire radius packet with radius secret as the key.

Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,Request Authenticator, Attributes)
A radius server receiving Access-Request with Message-Authenticator attribute. The radius server should calculate the correct value and compare, If digests are mismatched then discard the packet.

A radius client receiving Access-Challenge/Access-Reject/Access-Accept with Message-Authenticator attribute. The client should calculate and compare the values, if these values do not match discard the packet.

Hot fix Plan:
Hotfix for all 9.1.x Strong Authentication version is available to download from the support portal.

Note:

If You are not using Radius in your environment then the vulnerability can not be exploited and patch need not to be applied.

Additional Information

Notification: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24606

Release update: The AA 9.1.5.1 release, which was made available in mid-November, already includes the RADIUS vulnerability patch that was delivered at the end of July. Therefore, the RADIUS vulnerability fix is indeed part of 9.1.5.1, and there is no need to install a separate RADIUS patch on top of it.

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No