Radius protocol vulnerability advisory for Strong Authentication
search cancel

Radius protocol vulnerability advisory for Strong Authentication

book

Article ID: 371742

calendar_today

Updated On:

Products

CA Strong Authentication CA Advanced Authentication CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)

Issue/Introduction

A high severity vulnerability found within the Radius protocol which affects the Symantec Strong Authentication product.
 
What is the vulnerability?
The RADIUS protocol has a critical issue that impacts RADIUS transport over insecure networks, particularly using RADIUS over UDP or TCP.
This problem enables a man-in-the-middle attacker to forge a valid Access-Reject response to a client request that the RADIUS server has denied. In other words, the attacker can change an Access-Reject to an Access-Accept by using a malicious proxy state and altering the contents. As a result, the attacker can access protected resources and devices for which the RADIUS client authenticates.

Environment

All supported Strong Authentication Version ( 9.1.x)

Symantec Advanced Authentication

Cause

Resolution

To prevent spoofing attacks, we need to implement  Message-Authenticator Attribute in radius flows. The Message-Authenticator attribute provides Integrity and authenticity for radius flows.

Message-Authenticator is a radius attribute with Type 80, This attribute value should be the HMAC-MD5 digest of the entire radius packet with radius secret as the key.
 
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,Request Authenticator, Attributes)
A radius server receiving Access-Request with Message-Authenticator attribute. The radius server should calculate the correct value and compare, If digests are mismatched then discard the packet.

A radius client receiving Access-Challenge/Access-Reject/Access-Accept with Message-Authenticator attribute. The client should calculate and compare the values, if these values do not match discard the packet.

Hot fix Plan:
Hotfix for all 9.1.x Strong Authentication version is available to download from the support portal.
Note:
If You are not using Radius in your environment then the vulnerability can not be exploited and patch need not to be applied.

Additional Information