CVE-2024-3596 - Blast-RADIUS, and Message-Authenticator Support
search cancel

CVE-2024-3596 - Blast-RADIUS, and Message-Authenticator Support

book

Article ID: 375217

calendar_today

Updated On:

Products

Management Center - VA Content Analysis Software ISG Content Analysis

Issue/Introduction

Does MC and CAS support use of Message-Authenticator attribute for Radius Authentication, as enforcing this attribute is recommended mitigation strategy for vulnerability CVE-2024-3596 - Blast-RADIUS. 

There are experiences of broken authentication after enforcing this attribute on some products across multiple vendors, So, confirm whether MC and CAS are able to use this attribute, according RFC3579. 

If these products are compatible with this attribute,  are there steps needed to be taken on MC/CAS to implement the use of this attribute, or will it work by default, if the attribute is enabled on the Radius server?

Environment

CAS/MC

Resolution

Checks show that MC & CAS are not documented as being impacted by the reported CVE-2024-3596 - Blast-RADIUS vulnerability.

If you did reference the Tech. Article, with the URL: Radius protocol vulnerability advisory for Strong Authentication, note that the products referenced therein aren't MC/CAS, and aren't in the same product group.

Ref.: Advisory for CVE-2024-3596

So, the reported vulnerability does not impact CAS/MC.

With respect to Message-Authenticator Attribute support, for CAS/MC, there is no documented support.

For MC, refer to the Tech. Doc. with the URL below, for the documented guidance for authenticating MC users against RADIUS. 

Authenticate Management Center Users Against RADIUS

Note: 

If the RADIUS server in your organization has defined attributes that you would prefer to use, you can define them instead of installing the Blue Coat VSA. Define the attributes for role membership and group membership in Administration > Settings > RADIUS. If these fields are not populated with a custom attribute name, MC assumes that the Blue Coat VSA is in use.

The same applies to CAS. 

Ref.: Authenticate  Users Against RADIUS

Specifically for CAS, note the below.

In addition to authenticating administrators, RADIUS also authorizes administrators by way of a special attribute in the user's profile. This information is used to identify specific users who have permission to log in to the Content Analysis management console. To enable authorization, define the Symantec-Authorization (vendor-specific) attribute in the RADIUS user profile for users who require administrative access or read-only access to the Content Analysis appliance. The Symantec-Authorization values that you can assign are as follows:

  • 1
    No access: This is the default value used when read-only access (1) or administrative access (2) is not specified.

  • 2
    Read-only access: 1

  • Read-write access (administrative access or full access user): 2

Ref.: Authenticate Administrators with RADIUS

 

Powered by Wolken Software