A high severity vulnerability found within the Radius protocol which affects the Symantec Strong Authentication product. What is the vulnerability? The RADIUS protocol has a critical issue that impacts RADIUS transport over insecure networks, particularly using RADIUS over UDP or TCP. This problem enables a man-in-the-middle attacker to forge a valid Access-Reject response to a client request that the RADIUS server has denied. In other words, the attacker can change an Access-Reject to an Access-Accept by using a malicious proxy state and altering the contents. As a result, the attacker can access protected resources and devices for which the RADIUS client authenticates.
Environment
All supported Strong Authentication Version ( 9.1.x)
To prevent spoofing attacks, we need to implement Message-Authenticator Attribute in radius flows. The Message-Authenticator attribute provides Integrity and authenticity for radius flows.
Message-Authenticator is a radius attribute with Type 80, This attribute value should be the HMAC-MD5 digest of the entire radius packet with radius secret as the key.
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,Request Authenticator, Attributes) A radius server receiving Access-Request with Message-Authenticator attribute. The radius server should calculate the correct value and compare, If digests are mismatched then discard the packet.
A radius client receiving Access-Challenge/Access-Reject/Access-Accept with Message-Authenticator attribute. The client should calculate and compare the values, if these values do not match discard the packet.
Hot fix Plan: Hotfix for all 9.1.x Strong Authentication version is available to download from the support portal.
Note:
If You are not using Radius in your environment then the vulnerability can not be exploited and patch need not to be applied.