RSA ID Plus BlastRADIUS Vulnerability Fix: Frequently Asked Questions
BlastRADIUS is a thirty-year-old design flaw in the RADIUS protocol. Exploiting the vulnerability allows an attacker to authenticate anyone to your local network.
- Any Multi-Factor Authentication (MFA) can be bypassed.
- Unknown users can be given network access.
- Unknown users can be granted administrative login to key networking equipment.
- Known users can have their traffic redirected to a honeypot.
https://inkbridgenetworks.com/blastradius/faq
2. What is the root cause of the vulnerability?
In the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks. Attackers can modify these packets in a way that allows them to control who uses the network.
3. How is RSA addressing the BlastRADIUS Issue?
RSA has released Authentication Manager and Identity Router patches to fix the security vulnerability (CVE-2024-3596) identified in the RADIUS protocol.
- RSA Authentication Manager 8.7 SP2 Patch 3
- RSA Authentication Manager 8.7 SP1 Patch 3 Hotfix 1
- RSA Authentication Manager 8.7 Patch 4 Hotfix 1
- RSA Authentication Manager 8.6 Patch 4 Hotfix 1
- RSA Identity Router 12.21
Note: Before you apply the patch/hotfix, ensure that the vendor of each RADIUS client that you are using at least ignores the Message-Authenticator attribute in response. RSA recommends asking your vendors for a fix for the BlastRADIUS vulnerability and applying the client-side fixes immediately. This must be done before applying the RSA patches and enabling the Message-Authenticator configuration.
4. RSA Identity Router 12.21 has a default and last upgrade date. What can I do in this case?
The default and last upgrade dates for Identity Router 12.21 have been changed to:
4. RSA Identity Router 12.21 has a default and last upgrade date. What can I do in this case?
The default and last upgrade dates for Identity Router 12.21 have been changed to:
- Default: 10/05/24
- Last permitted: 10/27/2024
Earlier dates were Default: Saturday – 09/07/24 and Last: Saturday – 09/21/24.
This date change provides more time to understand BlastRadius impact and contact the vendors.
Note that the vulnerability is critical and RSA mandates earliest mitigation.
5. BlastRADIUS FAQ mentions that EAP/TLS clients are not impacted by the vulnerability.
EAP/TLS uses the Message-Authenticator attribute and is not vulnerable. Customers may need to look at the RADIUS clients to check if they are EAP/TLS clients.
This date change provides more time to understand BlastRadius impact and contact the vendors.
Note that the vulnerability is critical and RSA mandates earliest mitigation.
5. BlastRADIUS FAQ mentions that EAP/TLS clients are not impacted by the vulnerability.
EAP/TLS uses the Message-Authenticator attribute and is not vulnerable. Customers may need to look at the RADIUS clients to check if they are EAP/TLS clients.
6. Will deploying the RSA patches have any adverse impact?
Please contact each of your RADIUS client vendors to confirm the support for BlastRADIUS vulnerability fix or at least the ability to ignore the Message-Authenticator attribute in RADIUS responses. Upgrade applications if necessary and test with the new AM and/or IDR version internally before moving to production. If any RADIUS client does not meet the preceding criteria, deploying RSA patches may break your RADIUS integration with this client.
RSA recommends taking a backup of your Authentication Manager system before applying the patch/hotfix as it cannot be rolled back. You can then use this backup to revert to the previous version of Authentication Manager if required.
7. What should I do if any RADIUS clients do not work after upgrading all the RADIUS clients? How do I revert the changes?
RSA recommends taking a backup of your Authentication Manager system before applying the patch/hotfix since it cannot be rolled back.
7. What should I do if any RADIUS clients do not work after upgrading all the RADIUS clients? How do I revert the changes?
RSA recommends taking a backup of your Authentication Manager system before applying the patch/hotfix since it cannot be rolled back.
8. What needs to be done after deploying the RSA patches?
Upgrading the Authentication Manager or Identity Router is not sufficient to remediate the BlastRADIUS vulnerability. To fully protect an application against the BlastRADIUS vulnerability, it is necessary to enable the Message-Authenticator attribute flag in the RADIUS server that will enforce the use of the Message-Authenticator attribute in all RADIUS authentication requests. Before enabling the Message-Authenticator attribute flag, ensure your RADIUS client software version sends the Message-Authenticator attribute in each RADIUS authentication request. In addition, applications must verify the Message-Authenticator value in RADIUS responses and the attribute must be present in every response.
Please reach out to the RADIUS client vendor to confirm the support for BlastRADIUS vulnerability fix.
9. How do I know if my RADIUS clients support the new RADIUS patch in the latest Authentication Manager patch/hotfix and Identity Router release?
Please contact the RADIUS client vendor to confirm the client's support for a BlastRADIUS vulnerability fix using the RADIUS.
10. How do I test the vulnerability fix before upgrading?
Please contact the RADIUS client vendor to confirm the support for the BlastRADIUS vulnerability fix and test it in a development environment before moving to production.
11. Does RSA support resolving the BlastRADIUS Issue for individual RADIUS clients?
RSA Authentication Manager supports the fix through a global configuration for all RADIUS clients.
Identity Router supports enabling the fix for RADIUS requests only at the individual RADIUS client level.
Both Authentication Manager and Identity Router will always send the Message-Authenticator attribute in responses after this upgrade.
12. What can I do if my RADIUS client does not support the security fix?
Please contact the RADIUS client vendor to provide support for the BlastRADIUS vulnerability fix.
RSA mandates applying critical updates at the earliest opportunity on the affected RSA products.
13. What is the scenario where I am not impacted by the vulnerability?
You are not impacted if the application does not use RADIUS PAP for Authentication Manager or Identity Router.
14. What is the future plan for BlastRadius fix?
BlastRadius fix will be available in all future Authentication Manager and Identity Router releases.
Additional References
- https://community.rsa.com/s/article/RSA-Announces-Critical-Security-Updates-for-RSA-ID-Plus-Components-RSA-Authentication-Manager-and-RSA-Identity-Router
- https://nvd.nist.gov/vuln/detail/CVE-2024-3596
- https://www.blastradius.fail/
- https://www.blastradius.fail/pdf/radius.pdf
- https://www.freeradius.org/security/
- https://inkbridgenetworks.com/blastradius/faq
- https://en.wikipedia.org/wiki/Collision_attack
- https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/
- https://datatracker.ietf.org/doc/html/rfc2865
- https://datatracker.ietf.org/doc/html/rfc2869#section-5.14
- https://nvd.nist.gov/vuln-metrics/cvss
Related Articles
How to remediate the impact of the POODLE vulnerability on RSA Endpoint Number of Views Advisory regarding vulnerabilities reported by Oracle Java CVEs for applications running untrusted code Number of Views Clear Security Question Answers in the User Dashboard Number of Views Spring-related vulnerabilities for RSA Authentication Manager Number of Views Best practices for running vulnerability scans against RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
