![](https://sec.cloudapps.cisco.com/security/center/images/blue-square.png)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
-
On July 7, 2024, security researchers disclosed the following vulnerability in the RADIUS protocol:
CVE-2024-3596: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by an on-path attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
This vulnerability may impact any RADIUS client and server. For a description of this vulnerability, see VU#456537: RADIUS protocol susceptible to forgery attacks.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3
-
Cisco is investigating its product line to determine which products and cloud services may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products and services.
The Vulnerable Products section will include Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.
Products Under Investigation
The following Cisco products are under active investigation to determine whether they are affected by the vulnerability that is described in this advisory.
- Application Policy Infrastructure Controller (APIC)
- ASR 5000 Series Routers
- Catalyst Center
- Catalyst SD-WAN Controller, formerly SD-WAN vSmart
- Catalyst SD-WAN Manager, formerly SD-WAN vManage
- Catalyst SD-WAN Validator, formerly SD-WAN vBond
- Crosswork Change Automation
- Enterprise NFV Infrastructure
- Firepower Threat Defense (FTD) Software
- IOS Software
- IOS XR Software
- IoT Operations Dashboard
- Meraki MX Series
- Nexus 1000V Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 9000 Series Fabric Switches in ACI Mode
- NX-OS Software
- Prime Infrastructure
- SD-WAN vEdge Routers
- Secure Access Control System
- UCS B-Series Blade Servers
- Wireless LAN Controller
Vulnerable Products
The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.
Product Cisco Bug ID Network and Content Security Devices Adaptive Security Appliance (ASA) CSCwk71992 Firepower Device Manager (FDM) CSCwk69454 Firepower Management Center (FMC) Software CSCwk71817 Identity Services Engine (ISE) CSCwk67747 Secure Email Gateway CSCwk70832 Secure Email and Web Manager CSCwk70833 Secure Firewall CSCwk67859 Secure Network Analytics CSCwk73619 Secure Web Appliance CSCwk70834 Network Management and Provisioning Nexus Dashboard, formerly Application Services Engine CSCwk70840 Routing and Switching - Enterprise and Service Provider IOS XE Software CSCwk70852 IOx Fog Director CSCwk70851 MDS 9000 Series Multilayer Switches CSCwk70837 Nexus 3000 Series Switches CSCwk70839 Nexus 7000 Series Switches CSCwk70838 Nexus 9000 Series Switches in standalone NX-OS mode CSCwk70839 Unified Computing UCS Central Software CSCwk71967 UCS Manager CSCwk70842 Products Confirmed Not Vulnerable
Cisco is investigating its product line to determine which products may be affected by this vulnerability and the impact on each affected product. This section will be updated as information becomes available.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
Network Application, Service, and Acceleration
- Nexus Dashboard Insights (On Prem)
- Secure Workload
Network and Content Security Devices
- Firepower 4100 Series
- Firepower 9300 Series
- Secure Malware Analytics Appliance
- Umbrella Active Directory (AD) Connector
Network Management and Provisioning
- Cisco Evolved Programmable Network Manager (EPNM)
- DNA Spaces Connector
- Policy Suite
Routing and Switching - Enterprise and Service Provider
- Ultra Cloud Core - Policy Control Function
Wireless
- 6300 Series Embedded Services Access Points
- AireOS Wireless LAN Controllers
- Aironet 1540 Series
- Aironet 1560 Series
- Aironet 1810 Series OfficeExtend Access Points
- Aironet 1810w Series Access Points
- Aironet 1815 Series Access Points
- Aironet 1830 Series Access Points
- Aironet 1850 Series Access Points
- Aironet 2800 Series Access Points
- Aironet 3800 Series Access Points
- Aironet 4800 Access Points
- Aironet 802.11ac Wave2 Access Points
- Catalyst 9100 Series Access Points
- Catalyst IW6300 Heavy Duty Series Access Points
- Catalyst IW9165 Heavy Duty Series
- Catalyst IW9165 Rugged Series
- Catalyst IW9167 Heavy Duty Series
-
There are no workarounds that address this vulnerability.
RADIUS clients and servers configured to use DTLS or TLS over TCP are not exploitable, even if the underlying implementation is otherwise vulnerable, as long as the traffic is not sent in plaintext.
Customers should determine the applicability and effectiveness of this mitigation in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
-
For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
-
The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was publicly disclosed by Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl on July 9, 2024.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.4 Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable. Interim 2024-JUL-19 1.3 Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable. Interim 2024-JUL-17 1.2 Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-16 1.1 Updated the list of products currently under investigation. Affected Products Interim 2024-JUL-11 1.0 Initial public release. — Interim 2024-JUL-10
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.