The mitigation for Blast RADIUS CVE-2024-3596 in AM 8.7 SP2 P3 and all RADIUS vendors is to send the Message-Authenticator attribute. RADIUS Clients (VPNs) that do not understand this attribute could deny access.

jay.guillette (RSA SecurID) asked a question.

August 7, 2024 at 9:01 PM

RSA SecurID

jay.guillette (RSA SecurID)
2 years ago
The mitigation for Blast RADIUS CVE-2024-3596 in AM 8.7 SP2 P3 and all RADIUS vendors is as follow: “For Access-Accept or Access-Reject responses, the Message-Authenticator should be included as the first attribute. This guidance is being put into an upcoming RADIUS RFC.”

If a RADIUS Client (VPN) does not understand this message authentication attribute, it could deny access even when RSA says ACCESS- ACCEPT.

According to the 24 year old RADIUS RFC2865 the client may ignore unknown attributes.
There should be a way for any RADIUS Client to ignore the Message-Authenticator attribute in the Access-Accept or Access-Reject responses. But in one case, ignore was not set and the attribute caused a DENY for a customer.
Expand Post
- johnneset (Customer)
  15 days ago
  I just retried this on Citrix & apparently they finally got w/ the program & updated netscaler around this time last year.
  You get yours all locked down? ref. this being the preferred setting &FreeRADIUS-Client-Require-MA = yes
  Expand Post
  - jay.guillette (RSA SecurID)
    15 days ago
    glad to hear it worked out for you
    Expand Post

Potential Impact from Salesforce Device Activation Change

Related Questions

Potential Impact from Salesforce Device Activation Change

Related Questions

Trending Articles