RADIUS Protocol Vulnerability Impacted Multiple Cisco Products

A critical vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol has been disclosed, affecting multiple Cisco products.

The vulnerability, CVE-2024-3596, allows an on-path attacker to forge RADIUS responses, potentially leading to unauthorized access to network resources. It could also impact numerous Cisco products and cloud services.

The vulnerability, known as “Blast-RADIUS,” was disclosed on July 7, 2024, by a team of security researchers from UC San Diego and their partners. It exploits a fundamental flaw in the RADIUS protocol’s use of MD5 for response authentication.

An attacker can use a chosen-prefix collision attack to modify any valid RADIUS response (Access-Accept, Access-Reject, or Access-Challenge) to another response of their choice without needing to know the shared secret between the RADIUS client and server.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Impact on Cisco Products

Cisco’s Product Security Incident Response Team (PSIRT) is actively investigating its product line to determine which products and services may be affected. As of July 24, 2024, Cisco has identified several vulnerable products across various categories:

Network and Content Security Devices:
- Adaptive Security Appliance (ASA)
- Firepower Device Manager (FDM)
- Identity Services Engine (ISE)
- Secure Email Gateway
- Secure Firewall
Network Management and Provisioning:
- Application Policy Infrastructure Controller (APIC)
- Crosswork Change Automation
- Nexus Dashboard
Routing and Switching:
- ASR 5000 Series Routers
- Catalyst SD-WAN Controller
- IOS XE Software
- IOS XR
- Nexus 3000, 7000, and 9000 Series Switches
Unified Computing:
- UCS Central Software
- UCS Manager

Cisco has also confirmed that several products are not vulnerable, including certain wireless access points, DNA Spaces Connector, and UCS B-Series Blade Servers.

The company urges customers to stay informed about the ongoing investigation and potential impacts on their networks. There are currently no workarounds for this vulnerability.

Cisco PSIRT has acknowledged the availability of proof-of-concept exploit code for this vulnerability but is unaware of any malicious use in the wild.

The vulnerability is not limited to Cisco products. Other vendors, including Microsoft, RedHat, and Juniper Networks, are also investigating the impact on their products. The widespread use of RADIUS in networking and cloud services makes this vulnerability a significant threat across the industry.

Mitigation and Recommendations

Cisco recommends that customers using RADIUS for authentication implement the following mitigations to protect their networks:

Use TLS or DTLS Encryption: RADIUS clients and servers configured to use DTLS or TLS over TCP are not exploitable, provided the traffic is not sent in plaintext.
Network Isolation: Isolate RADIUS resources from untrusted sources using secure VPN tunnels and network segmentation.
Software Updates: Regularly check for software updates and apply patches as they become available.

Network administrators are urged to review their RADIUS configurations and apply recommended mitigations to safeguard their systems.

Free Guide to Prevent Vendor Email Compromise Attack (PDF) - Free Download

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.