Security Advisory

Blast-RADIUS Vulnerability (CVE-2024-3596)

Description

The Blast-RADIUS vulnerability (CVE-2024-3596) describes a vulnerability in the RADIUS protocol that allows an attacker to forge messages. This could be used in a man-in-the-middle attack scenario between the Access Server and the RADIUS server to forge a valid protocol accept message in response to a failed authentication request, thereby bypassing authentication.

If your Access Server is configured to use RADIUS authentication you may be at risk, particularly if the traffic between Access Server and RADIUS server occurs over an untrusted network, such as the public Internet.

More details are available on the following information page:

Resolution

Access Server 2.14.1 introduces a key enhancement to address this problem. It now supports the Message-Authenticator attribute, which verifies the integrity of RADIUS messages. For effective protection, both the Access Server and the RADIUS server must send and verify this attribute in their communications.

As of version 2.14.1, Access Server will always send the RADIUS Message-Authenticator attribute in its communications to the RADIUS server, and the RADIUS server can use these to verify that the messages have not been tampered with. 

Vice-versa unfortunately is not always possible. While Access Server supports verifying these messages received from RADIUS servers, not all RADIUS servers currently support sending these to the Access Server. If your RADIUS server is capable of it, we recommend that you enable sending these on the RADIUS server and that the Access Server is configured to verify these Message-Authenticator messages in the RADIUS settings page in the Admin web UI.

Customers using RADIUS for authentication should:

  1. Upgrade to Access Server 2.14.1 so that the new security feature becomes available to you.
  2. Ensure your RADIUS server supports the Message-Authenticator attribute, and enable it. Contact your RADIUS provider if this feature is not yet supported.
  3. Finally, enable the setting to verify the Message-Authenticator attribute in the RADIUS settings on the Admin web UI of the Access Server.

For more information on implementing these changes and further securing your network, refer to the detailed documentation available on our website or contact our support team.