Summary

• On July 7, 2024, security researchers disclosed the following vulnerability in the RADIUS protocol: 

  CVE-2024-3596: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by an on-path attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

  This vulnerability may impact any RADIUS client and server. For a description of this vulnerability, see VU#456537: RADIUS protocol susceptible to forgery attacks.

  This advisory will be updated as additional information becomes available.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3

Affected Products

• Cisco is investigating its product line to determine which products and cloud services may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products and services.

  The Vulnerable Products section will include Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.

  Products Under Investigation

  The following Cisco products are under active investigation to determine whether they are affected by the vulnerability that is described in this advisory.

  • Application Policy Infrastructure Controller (APIC)
  • ASR 5000 Series Routers
  • Catalyst Center
  • Catalyst SD-WAN Controller, formerly SD-WAN vSmart
  • Catalyst SD-WAN Manager, formerly SD-WAN vManage
  • Catalyst SD-WAN Validator, formerly SD-WAN vBond
  • Crosswork Change Automation
  • Enterprise NFV Infrastructure
  • Firepower Threat Defense (FTD) Software
  • IOS Software
  • IOS XR Software
  • IoT Operations Dashboard
  • Meraki MX Series
  • Nexus 1000V Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 9000 Series Fabric Switches in ACI Mode
  • NX-OS Software
  • Prime Infrastructure
  • SD-WAN vEdge Routers
  • Secure Access Control System
  • UCS B-Series Blade Servers
  • Wireless LAN Controller

  Vulnerable Products

  The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.

  Product	Cisco Bug ID
  Network and Content Security Devices
  Adaptive Security Appliance (ASA)	CSCwk71992
  Firepower Device Manager (FDM)	CSCwk69454
  Firepower Management Center (FMC) Software	CSCwk71817
  Identity Services Engine (ISE)	CSCwk67747
  Secure Email Gateway	CSCwk70832
  Secure Email and Web Manager	CSCwk70833
  Secure Firewall	CSCwk67859
  Secure Network Analytics	CSCwk73619
  Secure Web Appliance	CSCwk70834
  Network Management and Provisioning
  Nexus Dashboard, formerly Application Services Engine	CSCwk70840
  Routing and Switching - Enterprise and Service Provider
  IOS XE Software	CSCwk70852
  IOx Fog Director	CSCwk70851
  MDS 9000 Series Multilayer Switches	CSCwk70837
  Nexus 3000 Series Switches	CSCwk70839
  Nexus 7000 Series Switches	CSCwk70838
  Nexus 9000 Series Switches in standalone NX-OS mode	CSCwk70839
  Unified Computing
  UCS Central Software	CSCwk71967
  UCS Manager	CSCwk70842

   

  Products Confirmed Not Vulnerable

  Cisco is investigating its product line to determine which products may be affected by this vulnerability and the impact on each affected product. This section will be updated as information becomes available.

  Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  Network Application, Service, and Acceleration

  • Nexus Dashboard Insights (On Prem)
  • Secure Workload

  Network and Content Security Devices

  • Firepower 4100 Series
  • Firepower 9300 Series
  • Secure Malware Analytics Appliance
  • Umbrella Active Directory (AD) Connector

  Network Management and Provisioning

  • Cisco Evolved Programmable Network Manager (EPNM)
  • DNA Spaces Connector
  • Policy Suite

  Routing and Switching - Enterprise and Service Provider

  • Ultra Cloud Core - Policy Control Function

  Wireless

  • 6300 Series Embedded Services Access Points
  • AireOS Wireless LAN Controllers
  • Aironet 1540 Series
  • Aironet 1560 Series
  • Aironet 1810 Series OfficeExtend Access Points
  • Aironet 1810w Series Access Points
  • Aironet 1815 Series Access Points
  • Aironet 1830 Series Access Points
  • Aironet 1850 Series Access Points
  • Aironet 2800 Series Access Points
  • Aironet 3800 Series Access Points
  • Aironet 4800 Access Points
  • Aironet 802.11ac Wave2 Access Points
  • Catalyst 9100 Series Access Points
  • Catalyst IW6300 Heavy Duty Series Access Points
  • Catalyst IW9165 Heavy Duty Series
  • Catalyst IW9165 Rugged Series
  • Catalyst IW9167 Heavy Duty Series

Workarounds

• There are no workarounds that address this vulnerability.

  RADIUS clients and servers configured to use DTLS or TLS over TCP are not exploitable, even if the underlying implementation is otherwise vulnerable, as long as the traffic is not sent in plaintext.

  Customers should determine the applicability and effectiveness of this mitigation in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

• For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

• The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.

  The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was publicly disclosed by Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl on July 9, 2024.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3

Revision History

• Version	Description	Section	Status	Date
  1.4	Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable.	Interim	2024-JUL-19
  1.3	Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable.	Interim	2024-JUL-17
  1.2	Updated lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-16
  1.1	Updated the list of products currently under investigation.	Affected Products	Interim	2024-JUL-11
  1.0	Initial public release.	—	Interim	2024-JUL-10

  Show Less

---