{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-074.pdf"
    },
    "title": "RADIUS Vulnerability Impacts Cisco Products",
    "serial_number": "2024-074",
    "publish_date": "29-07-2024 17:10:46",
    "description": "A critical vulnerability, identified as CVE-2024-3596, has been discovered in the RADIUS (Remote Authentication Dial-In User Service) protocol, allowing for man-in-the-middle (MitM) attacks that bypass authentication mechanisms. Dubbed the Blast-RADIUS attack, this vulnerability leverages an MD5 collision attack to forge authentication responses, potentially granting unauthorised access to network resources.<br>\nIn particular multiple CISCO products are impacted by this vulnerability. Other platforms are impacted as well, although the exact severity varies Due to the high severity of this vulnerability, CERT-EU strongly recommends patching as soon as possible. <br>\n",
    "url_title": "2024-074",
    "content_markdown": "---\ntitle: 'RADIUS Vulnerability Impacts\u00a0Cisco\u00a0Products'\nnumber: '2024-074'\nversion: '1.0'\noriginal_date: 'July 7, 2024'\ndate: 'July 29, 2024'\n---\n\n_History:_\n\n* _29/07/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nA critical vulnerability, identified as CVE-2024-3596, has been discovered in the RADIUS (Remote Authentication Dial-In User Service) protocol, allowing for man-in-the-middle (MitM) attacks that bypass authentication mechanisms [1]. Dubbed the _Blast-RADIUS_ attack, this vulnerability leverages an MD5 collision attack to forge authentication responses, potentially granting unauthorised access to network resources.\n\nIn particular multiple CISCO products are impacted by this vulnerability [2, 3]. Other platforms are impacted as well, although the exact severity varies [4, 5] Due to the high severity of this vulnerability, CERT-EU strongly recommends patching as soon as possible. \n\n# Technical Details\n\nThe Blast-RADIUS attack targets the RADIUS/UDP protocol, which is widely used for authentication in various network services. The vulnerability arises from the use of MD5 in the RADIUS protocol's Response Authenticator. An attacker can exploit this by intercepting and modifying RADIUS messages between the client and server.\n\nThis process can be completed in 3 to 6 minutes, though advanced hardware could significantly reduce this time, making the attack feasible within the typical RADIUS timeout period of 30 to 60 seconds.\n\n# Affected Products\n\nThe vulnerability impacts any system utilising RADIUS/UDP for authentication without the Message-Authenticator attribute enabled. This includes a wide range of network devices and services. \n\nThe list of impacted Cisco products is available in [2]. Other vendors are also impacted, including WatchGuard [4], Palo-Alto [5], or Microsoft [6], and many others. \n\n# Recommendations\n\nTo mitigate the risk of exploitation, the following measures are recommended:\n\n- **Enable Message-Authenticator Attribute**: Ensure that all RADIUS communications include the Message-Authenticator attribute, which uses HMAC-MD5 to provide stronger protection against MitM attacks.\n- **Update RADIUS Implementations**: Apply patches and updates provided by RADIUS software vendors that address this vulnerability.\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/new-blast-radius-attack-bypasses-widely-used-radius-authentication/>\n\n[2] <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3>\n\n[3] <https://cybersecuritynews.com/radius-protocol-vulnerability-cisco/>\n\n[4] <https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00013>\n\n[5] <https://security.paloaltonetworks.com/CVE-2024-3596>\n\n[6] <https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-3596>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>29/07/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>A critical vulnerability, identified as CVE-2024-3596, has been discovered in the RADIUS (Remote Authentication Dial-In User Service) protocol, allowing for man-in-the-middle (MitM) attacks that bypass authentication mechanisms [1]. Dubbed the <em>Blast-RADIUS</em> attack, this vulnerability leverages an MD5 collision attack to forge authentication responses, potentially granting unauthorised access to network resources.</p><p>In particular multiple CISCO products are impacted by this vulnerability [2, 3]. Other platforms are impacted as well, although the exact severity varies [4, 5] Due to the high severity of this vulnerability, CERT-EU strongly recommends patching as soon as possible. </p><h2 id=\"technical-details\">Technical Details</h2><p>The Blast-RADIUS attack targets the RADIUS/UDP protocol, which is widely used for authentication in various network services. The vulnerability arises from the use of MD5 in the RADIUS protocol's Response Authenticator. An attacker can exploit this by intercepting and modifying RADIUS messages between the client and server.</p><p>This process can be completed in 3 to 6 minutes, though advanced hardware could significantly reduce this time, making the attack feasible within the typical RADIUS timeout period of 30 to 60 seconds.</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability impacts any system utilising RADIUS/UDP for authentication without the Message-Authenticator attribute enabled. This includes a wide range of network devices and services. </p><p>The list of impacted Cisco products is available in [2]. Other vendors are also impacted, including WatchGuard [4], Palo-Alto [5], or Microsoft [6], and many others. </p><h2 id=\"recommendations\">Recommendations</h2><p>To mitigate the risk of exploitation, the following measures are recommended:</p><ul><li><strong>Enable Message-Authenticator Attribute</strong>: Ensure that all RADIUS communications include the Message-Authenticator attribute, which uses HMAC-MD5 to provide stronger protection against MitM attacks.</li><li><strong>Update RADIUS Implementations</strong>: Apply patches and updates provided by RADIUS software vendors that address this vulnerability.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/new-blast-radius-attack-bypasses-widely-used-radius-authentication/\">https://www.bleepingcomputer.com/news/security/new-blast-radius-attack-bypasses-widely-used-radius-authentication/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3\">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://cybersecuritynews.com/radius-protocol-vulnerability-cisco/\">https://cybersecuritynews.com/radius-protocol-vulnerability-cisco/</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00013\">https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00013</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://security.paloaltonetworks.com/CVE-2024-3596\">https://security.paloaltonetworks.com/CVE-2024-3596</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-3596\">https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-3596</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}