Date: July 9, 2024
Revision | Date | Changes |
---|---|---|
1.0 | July 9, 2024 | Initial release |
The CVE-ID tracking this issue: CVE-2024-3596
CVSSv3.1 Base Score: 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H)
Common Weakness Enumeration: CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
This vulnerability is being tracked by BUG960295
Arista Networks is providing this security update in response to the following publicly disclosed security vulnerability related to the RADIUS protocol. This vulnerability is a result of a design flaw in the RADIUS protocol. It allows a skilled attacker who can read and modify RADIUS packets in the network to forge responses from the RADIUS server to the client. In this way the attacker can cause any user to be authenticated and can give almost any authorization to any user. RADIUS over TLS (RadSec) resolves this vulnerability.
Products are generally affected if all of the following are true:
Because this is an issue with the RADIUS protocol itself, all versions of the software, present and future, are affected if they are running the affected configuration. Please consult the section on Required Configuration for Exploitation if products are found which are affected.
The following products are affected by this vulnerability:
All versions, present and future, are affected if they are running the affected configuration (RADIUS without RadSec). RadSec support is available starting from version 4.26.2.
Arista EOS-based products using RADIUS without RadSec:
All versions, present and future, are affected if they are running the affected configuration
(RADIUS without RadSec)
All versions, present and future, are affected if they are running the affected configuration
(RADIUS - RadSec is not available in this product).
All versions, present and future, are affected if they are running the affected configuration
(RADIUS - RadSec is not available in this product).
All versions, present and future, are affected if they are running the affected configuration
(RADIUS - RadSec is not available in this product).
All versions, present and future, are affected if they are running the affected configuration
(RADIUS - RadSec is not available in this product).
Products and configurations are generally unaffected if at least one of the following is true:
The following product versions and platforms are not affected by this vulnerability:
EOS is affected if RADIUS is configured as the authentication or authorization provider without RadSec.
To confirm if this is the case, multiple conditions must be met:
First, EOS is affected if it is configured to use RADIUS for authentication or authorization. The following are examples of configuration where RADIUS is enabled for authentication or authorization:
aaa authentication login <console|default> group radius
aaa authentication login <console|default> group RAD-GRP*
aaa authorization commands all default group radius
aaa authorization exec default group RAD-GRP*
Next, if EOS has the above configuration, it is affected if RadSec is not enabled. The following show command shows a RADIUS server that is not using RadSec:
switch>show radius
RADIUS server : 5.4.3.2, authentication port 1812, accounting port 1813
Messages sent: 0
Messages received: 0
Requests accepted: 0
Requests rejected: 0
Requests timeout: 0
A RADIUS server that is using RadSec will have an SSL profile associated with it, for example:
switch>show radius
RADIUS server : 1.2.3.4, TLS port 2083
SSL profile : foobar
Messages sent: 0
Messages received: 0
Requests accepted: 0
Requests rejected: 0
Requests timeout: 0
In this case, the configuration is not vulnerable since it is using RadSec. The portions that indicate this have been highlighted in yellow.
Wireless AP’s are affected if they are using RADIUS and RadSec is not enabled. In the following screenshots, RadSec is enabled, so the configuration is not vulnerable. If the RadSec boxes are not checked but RADIUS is being used, then it is vulnerable.
In the above screenshot, “RADSEC” is “ON”, so not vulnerable. If the “OFF” circle is selected, then it is vulnerable.
In the above screenshot, the RADSEC box is checked, so it is not vulnerable. If it is unchecked, then it is vulnerable.
DMF and related products are affected if RADIUS is configured as the authentication or authorization provider, for example with this configuration:
analytics-1(config)# radius server host 192.168.17.101 key admin
analytics -1# aaa authentication login default group radius local
CloudVision CUE On-Prem is affected if RADIUS is being used as in the below screenshot.
CloudVision Portal is affected if RADIUS is being used as in the below screenshot.
MOS is affected if RADIUS is configured as the authentication or authorization provider, for example with this configuration:
hostname(config)#radius-server host 192.0.2.1 key 7 15060E1F10232523796166
hostname(config)#aaa authentication login default group radius local
NG Firewall is affected if RADIUS is configured as the authentication or authorization provider, for example if the “Enable RADIUS Connector” box is checked:
Successful exploitation of this vulnerability can allow an attacker to authenticate or give authorization to any user. Any logs that indicate unexpected authentication or authorization can be used as an indicator of compromise.
Mitigation across all of the products is as follows:
Specific configuration for affected products is listed in the following sections:
In EOS versions 4.26.2+, RADIUS over TLS is supported. The workaround is to enable it for each RADIUS server configured using the following configuration:
radius-server host <hostname/IP> tls [ssl-profile <profile-name>]
For more information about configuring RADIUS over TLS on EOS see EOS 4.26.2F TOI: RADIUS over TLS
In EOS versions before 4.26.2, RadSec is not supported. Please review the above mitigations for alternative options.
Please see Enable RadSec for information on how to configure RadSec for WiFi AP’s.
DMF and related products do not support RadSec. Please review the above mitigations for alternative options.
For more information about TACACS+ in Arista DMF products see DANZ Monitoring Fabric Deployment Guide.
CloudVision CUE On-Prem does not support RadSec. Please review the above mitigations for alternative options.
CloudVision Portal On-Prem does not support RadSec. Please review the above mitigations for alternative options.
MOS does not support RadSec. Please review the above mitigations for alternative options.
NGFW does not support RadSec. Please review the above mitigations for alternative options. Alternate methods for directory connector can be found here: <https://wiki.edge.arista.com/index.php?title=Directory_Connector>
This is a protocol level issue and there will be no fixes available for affected products. Please review the mitigation section for solutions.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Contact information needed to open a new service request may be found at: