Cisco Security Advisory
RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
-
On July 7, 2024, security researchers disclosed the following vulnerability in the RADIUS protocol:
CVE-2024-3596: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by an on-path attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
This vulnerability may impact any RADIUS client and server. For a description of this vulnerability, see VU#456537: RADIUS protocol susceptible to forgery attacks.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3
-
Cisco investigated its product line to determine which products and cloud services may be affected by this vulnerability.
The Vulnerable Products section includes Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.
Vulnerable Products
The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. Customers should refer to the associated Cisco bug(s) for further details.
Product Cisco Bug ID Endpoint Clients and Client Software Duo Authentication Proxy CSCwk87884 Network and Content Security Devices Adaptive Security Appliance (ASA) CSCwk71992 Firepower Device Manager (FDM) CSCwk69454 Firepower Management Center (FMC) Software CSCwk71817 Firepower Threat Defense (FTD) Software CSCwk67902 Meraki MX Series Notes Identity Services Engine (ISE) CSCwk67747 Secure Email Gateway CSCwk70832 Secure Email and Web Manager CSCwk70833 Secure Firewall CSCwk67859 Secure Network Analytics CSCwk73619 Secure Web Appliance CSCwk70834 Network Management and Provisioning Application Policy Infrastructure Controller (APIC) CSCwk70836 Crosswork Network Controller CSCwk70850 Nexus Dashboard, formerly Application Services Engine CSCwk70840 Prime Infrastructure CSCwk79727 Routing and Switching - Enterprise and Service Provider ASR 5000 Series Routers CSCwk70831 Catalyst Center CSCwk70845 Catalyst SD-WAN Controller, formerly SD-WAN vSmart CSCwk70854 Catalyst SD-WAN Manager, formerly SD-WAN vManage CSCwk70854 Catalyst SD-WAN Validator, formerly SD-WAN vBond CSCwk70854 GGSN Gateway GPRS Support Node CSCwk70831 IOS Software CSCwk78278 IOS XE Software CSCwk70852 IOS XR Software CSCwk70236 IOx Fog Director CSCwk70851 MDS 9000 Series Multilayer Switches CSCwk70837 Network Convergence System (NCS) 2000 Series CSCwm33240 Nexus 1000V Series Switches CSCwk79691 Nexus 3000 Series Switches CSCwk70839 Nexus 5500 Platform Switches CSCwk79692 Nexus 5600 Platform Switches CSCwk79692 Nexus 6000 Series Switches CSCwk79692 Nexus 7000 Series Switches CSCwk70838 Nexus 9000 Series Fabric Switches in ACI Mode CSCwk83051 Nexus 9000 Series Switches in standalone NX-OS mode CSCwk70839 PGW Packet Data Network Gateway CSCwk70831 SD-WAN vEdge Routers CSCwk70854 System Architecture Evolution (SAE) Gateway CSCwk70831 Ultra Packet Core CSCwk70831 Unified Computing Enterprise NFV Infrastructure Software (NFVIS) CSCwk79647 UCS Central Software CSCwk71967 UCS Manager CSCwk70842 WirelessUnified Computing AireOS Wireless LAN Controllers CSCwk70846 Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
Network Application, Service, and Acceleration
- Nexus Dashboard Insights (On Prem)
- Secure Workload
Network and Content Security Devices
- Firepower 4100/9300 FXOS Firepower Chassis Manager
- Secure Malware Analytics Appliance
- Umbrella Active Directory (AD) Connector
Network Management and Provisioning
- Cisco Evolved Programmable Network Manager (EPNM)
- DNA Spaces Connector
- Policy Suite
- ThousandEyes Enterprise Agent
Routing and Switching - Enterprise and Service Provider
- Ultra Cloud Core - Policy Control Function
Unified Computing
- UCS B-Series Blade Servers
Wireless
- 6300 Series Embedded Services Access Points
- Aironet 1540 Series
- Aironet 1560 Series
- Aironet 1810 Series OfficeExtend Access Points
- Aironet 1810w Series Access Points
- Aironet 1815 Series Access Points
- Aironet 1830 Series Access Points
- Aironet 1850 Series Access Points
- Aironet 2800 Series Access Points
- Aironet 3800 Series Access Points
- Aironet 4800 Access Points
- Aironet 802.11ac Wave2 Access Points
- Catalyst 9100 Series Access Points
- Catalyst IW6300 Heavy Duty Series Access Points
- Catalyst IW9165 Heavy Duty Series
- Catalyst IW9165 Rugged Series
- Catalyst IW9167 Heavy Duty Series
-
There are no workarounds that address this vulnerability.
RADIUS clients and servers configured to use DTLS or TLS over TCP are not exploitable, even if the underlying implementation is otherwise vulnerable, as long as the traffic is not sent in plaintext.
Customers should determine the applicability and effectiveness of this mitigation in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
-
For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
-
The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was publicly disclosed by Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl on July 9, 2024.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.10 Added Network Convergence System 2000 Series to the list of vulnerable products. Vulnerable Products Final 2024-SEP-03 1.9 Updated the list of products confirmed not vulnerable. Products Confirmed Not Vulnerable Final 2024-AUG-19 1.8 Updated lists of products considered vulnerable and products considered not vulnerable. Vulnerable Products and Products Confirmed Not Vulnerable Final 2024-AUG-09 1.7 Updated summary, lists of products currently under investigation, and products determined to be affected. Summary, Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Final 2024-AUG-02 1.6 Updated lists of products currently under investigation and products determined to be affected. Affected Products and Vulnerable Products Interim 2024-JUL-29 1.5 Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable. Interim 2024-JUL-24 1.4 Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable. Interim 2024-JUL-19 1.3 Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable. Interim 2024-JUL-17 1.2 Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-16 1.1 Updated the list of products currently under investigation. Affected Products Interim 2024-JUL-11 1.0 Initial public release. - Interim 2024-JUL-10
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.