Cisco reports products vulnerable to "blastRadius" RADIUS protocol flaw
Take action: Time to start reviewing your RADIUS implementation in Cisco devices. If any RADIUS authentication is internet accessible, either move it to TLS/TCP or patch your systems. Ideally, the patching is the better long term approach since it doesn't slow down RADIUS by moving it to TCP protocol. But since patching is not an easy process, this is a team decision.
Learn More
Cisco is reporing that a number of their products are vulnerable to a vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol, tracked as CVE-2024-3596 (CVSS score 9.0).
Known as "BlastRADIUS," this vulnerability allows an on-path attacker to forge RADIUS responses, potentially leading to unauthorized access to network resources.
Cisco has identified several vulnerable products across various categories:
| Product | Cisco Bug ID |
|---|---|
| Network and Content Security Devices | |
| Adaptive Security Appliance (ASA) | CSCwk71992 |
| Firepower Device Manager (FDM) | CSCwk69454 |
| Firepower Management Center (FMC) Software | CSCwk71817 |
| Firepower Threat Defense (FTD) Software | CSCwk67902 |
| Identity Services Engine (ISE) | CSCwk67747 |
| Secure Email Gateway | CSCwk70832 |
| Secure Email and Web Manager | CSCwk70833 |
| Secure Firewall | CSCwk67859 |
| Secure Network Analytics | CSCwk73619 |
| Secure Web Appliance | CSCwk70834 |
| Network Management and Provisioning | |
| Application Policy Infrastructure Controller (APIC) | CSCwk70836 |
| Crosswork Change Automation | CSCwk70850 |
| Nexus Dashboard, formerly Application Services Engine | CSCwk70840 |
| Routing and Switching - Enterprise and Service Provider | |
| ASR 5000 Series Routers | CSCwk70831 |
| Catalyst SD-WAN Controller, formerly SD-WAN vSmart | CSCwk70854 |
| Catalyst SD-WAN Manager, formerly SD-WAN vManage | CSCwk70854 |
| Catalyst SD-WAN Validator, formerly SD-WAN vBond | CSCwk70854 |
| GGSN Gateway GPRS Support Node | CSCwk70831 |
| IOS XE Software | CSCwk70852 |
| IOS XR | CSCwk70236 |
| IOx Fog Director | CSCwk70851 |
| MDS 9000 Series Multilayer Switches | CSCwk70837 |
| Nexus 3000 Series Switches | CSCwk70839 |
| Nexus 7000 Series Switches | CSCwk70838 |
| Nexus 9000 Series Switches in standalone NX-OS mode | CSCwk70839 |
| PGW Packet Data Network Gateway | CSCwk70831 |
| SD-WAN vEdge Routers | CSCwk70854 |
| System Architecture Evolution (SAE) Gateway | CSCwk70831 |
| Ultra Packet Core | CSCwk70831 |
| Unified Computing | |
| UCS Central Software | CSCwk71967 |
| UCS Manager | CSCwk70842 |
Several Cisco products are confirmed not to be affected, including certain wireless access points, DNA Spaces Connector, and UCS B-Series Blade Servers.
Cisco recommends the following measures to protect against this vulnerability:
- Use TLS or DTLS Encryption: Configure RADIUS clients and servers to use DTLS or TLS over TCP to prevent exploitation.
- Network Isolation: Isolate RADIUS resources from untrusted sources using secure VPN tunnels and network segmentation.
- Software Updates: Regularly check for and apply software updates and patches.
There are no workarounds available for this vulnerability. Cisco urges network administrators to review their RADIUS configurations and apply recommended mitigations promptly.
Cisco's Product Security Incident Response Team (PSIRT) is actively investigating the impact on its product line and has acknowledged the existence of proof-of-concept exploit code. However, there are no reports of malicious exploitation in the wild as of now.
