-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory 
=============================== 
Advisory ID: HPESBNW04662 
CVE: CVE-2024-3596 
Publication Date: 2024-Jul-09 
Last Updated: 2024-Oct-09 
Status: Investigating 
Severity: Critical 
Revision: 5 
  
  
Title 
===== 
RADIUS Protocol Susceptible to Forgery Attacks 
  
  
Overview 
======== 
A vulnerability in the RADIUS protocol may allow attackers to  
access sensitive network resources without authentication. 
  
  
Affected Products 
============== 
HPE Aruba Networking 
- - EdgeConnect SD-WAN Gateway 
  - All supported software releases (as of the publication date of this
    Security Advisory)
  - Please see the workaround section for mitigation advice 
- - EdgeConnect SD-WAN Orchestrator 
  - All supported software releases (as of the publication date of this 
    Security Advisory)
  - Please see the workaround section for mitigation advice 
- - Switches running AOS-CX 
  - All supported software releases (as of the publication date of this 
    Security Advisory)
  - Please see the workaround section for mitigation advice 
- - WLAN Gateways and SD-WAN Gateways running AOS-10 
  - AOS-10.6.0.2 and below 
  - AOS-10.4.1.3 and below 
- - Mobility Controllers running AOS-8 
  - AOS-8.12.0.1 and below 
  - AOS-8.10.0.13 and below 
- - Access Points running Instant AOS-8 and AOS-10 
  - All supported software releases (as of the publication date of this 
    Security Advisory) 
  - Please see the workaround section for mitigation advice 
- - Airwave Management Platform  
  - 8.3.0.2 and below 
- - ClearPass Policy Manager 
  - 6.12.1 and below 
  - 6.11.8 and below 
- - Aruba Fabric Composer
  - 7.1.0 and below

 
Product versions that are end of life are affected by this vulnerability  
unless otherwise indicated. 
 
This advisory will be updated as further information becomes available.  


Unaffected Products 
===================  
All other HPE Aruba Networking products that are not listed above are
not affected by this vulnerability.


Details 
======= 
 
  RADIUS protocol susceptible to forgery attacks 
  (CVE-2024-3596) 
  --------------------------------------------------------------------- 
    A forgery attack has been discovered against the Response           
    Authenticator in RADIUS/UDP, specifically targeting RFC 2865. This  
    attack allows a man-in-the-middle to forge a valid Access-Accept    
    response to a client request that was initially rejected by the     
    RADIUS server, thereby granting unauthorized network access.        
    The vulnerability exploits a chosen-prefix collision attack         
    on MD5, manipulating the first byte and packet attributes of        
    Access-Reject messages to match the Response Authenticator of a     
    forged Access-Accept message. The attack requires appending a       
    minimal amount of collision block gibberish to the Access-Request,  
    which is then encapsulated in Proxy-State attributes and processed  
    by the server, ensuring the computed Response Authenticator matches 
    for both the legitimate Access-Reject and the forged Access-Accept. 
   
    The attacker must have man-in-the-middle access between the RADIUS  
    client and server and the ability to trigger an Access-Request.     
    By predicting the Access-Reject response and computing an MD5       
    chosen-prefix collision (within 5 to 6 minutes, potentially faster  
    with more resources), the attacker can modify the client request,   
    remove any Message-Authenticator attributes if PAP authentication   
    is used, and forge an Access-Accept response by copying the         
    Response Authenticator from the Access-Reject response. This        
    modified response, when sent to the client, grants the attacker     
    unauthorized access to resources authenticated/authorized via       
    RADIUS.                                                             
   
    Internal References:   ATLWL-473, ATLCP-274, ATLAX-81,  
                           ATLAW-201, ATLSP-112, ATLSP-113 
    Severity: Critical 
    CVSSv3.x Overall Score: 9.0 
    CVSS Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 
   
    Discovery: This vulnerability was discovered and reported  
    by Sharon Goldberg, Miro Haller, Nadia Heninger, 
    Mike Milano, Dan Shumow, Marc Stevens,  
    and Adam Suhl. 
 
 
Resolution 
========= 
This vulnerability is fixed in the following HPE Aruba Networking products’ software releases 
- - AirWave Management Platform 
  - 8.3.0.3 and above 
- - ClearPass Policy Manager 
  - 6.12.2 and above 
  - 6.11.9 and above 
  - In addition, the following steps need to be taken to enable         
    the RADIUS Message-Authenticator on ClearPass Navigate to           
    Administration > Server Manager > Server Configuration screen,      
    select each server individually to enable Message-Authenticator     
    support.                                                            
    On the server screen, navigate to “Service Parameters” tab, select the “Radius server” service 
    Under the Security header, modify the parameters 
                  Require Message-Authenticator from NAD = yes 
                  Require Message-Authenticator from Proxy Server = yes 
    Save the changes. This will then restart the service with the
    requirement that the Message-Authenticator be transmitted, or the
    request will not be processed.
- - Switches running AOS-CX 
  - 10.14.1010 and above 
  - 10.13.1040 and above 
  - 10.10.1140 and above
- - WLAN Gateways and SD-WAN Gateways running AOS-10 
  - AOS-10.6.0.3 and above 
  - AOS-10.4.1.4 and above 
- - Mobility Controllers running AOS-8 
  - AOS-8.12.0.2 and above 
  - AOS-8.10.0.14 and above
- - Aruba Fabric Composer
  - 7.1.1 and above (estimated available early November 2024)
- - EdgeConnect SD-WAN Orchestrator 
  - Use the following link to find instructions for addressing CVE-2024-3596: 
    https://www.arubanetworks.com/techdocs/sdwan-PDFs/docs/advisories/orch_resolution_to_cve-2024-3596_latest.pdf  
 
 
Software updates for this vulnerability fix in the other affected
products are forthcoming. This advisory will be updated as details on
the respective product’s software versions with this vulnerability fix
become available.
 
For more information about HPE Aruba Networking products End of Support policy visit: 
 
https://networkingsupport.hpe.com/end-of-life 
 
 
Final Resolution Pending 
==================== 
HPE Aruba Networking 
- - EdgeConnect SD-WAN Gateway 
- - Aruba Access Points running Instant AOS-8 and AOS-10 
 
These products are pending resolution. This advisory will be updated as
more information becomes available. See the workaround section in this
document for mitigation information.
 
 
Workaround 
========== 
Network Operators who rely on the RADIUS protocol for device and/or     
user authentication should update their software and configuration      
to a secure form of the protocol for both clients and servers.          
Where available, using EAP-TLS (assuming Message-Authenticator is       
properly configured on the RADIUS server) or RadSec will mitigate the   
vulnerability. This work around applies to all products.                
 
In instances where product upgrades are not available,  
network isolation and secure VPN tunnel communications should  
be enforced for the RADIUS protocol to restrict access to these  
network resources from untrusted sources. 
 
For assistance in implementing EAP-TLS or RadSec on individual products 
contact HPE Services – Aruba Networking for assistance.  
 
 
Exploitation and Public Discussion 
================================== 
The original research paper this vulnerability is based on is accessible at  
https://www.blastradius.fail/pdf/radius.pdf 
 
Additionally, the IETF is working towards deprecating certain options  
in RADIUS.  More information is accessible at  
https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-01  
 
  
Revision History 
================ 
Revision 1 / 2024-Jul-09 / Initial release 
Revision 2 / 2024-Jul-12 / Improvements to the Workaround, Affected Products, 
			   and Resolution Sections, Added Unaffected Products
Revision 3 / 2024-Aug-30 / Added AFC to Affected Products and Resolution Sections
Revision 4 / 2024-Oct-09 / Added Reference for Orchestrator in Resolution
Revision 5 / 2024-Oct-09 / Minor formatting updates.
 
   
HPE Aruba Networking SIRT Security Procedures 
============================== 
Complete information on reporting security vulnerabilities in HPE 
Aruba Networking products and obtaining assistance with security 
incidents is available at: 
 
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a 
00100637en_us 
 
For reporting *NEW* HPE Aruba Networking security issues, email 
can be sent to aruba-sirt(at)hpe.com. For sensitive information 
we encourage the use of PGP encryption. Our public keys can be 
found at: 
 
https://www.hpe.com/info/psrt-pgp-key 
 
(c) Copyright 2024 by Hewlett Packard Enterprise Development LP. 
This advisory may be redistributed freely after the release date 
given at the top of the text, provided that the redistributed 
copies are complete and unmodified, including all data and 
version information.
-----BEGIN PGP SIGNATURE-----

iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmcFo6UXHHNlY3VyaXR5
LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE66jXgwAnN5vqYUcjHL3qNmXDlacR4lE
4BBSiSq0L4q/2xnKjm6BpJrbd0DvZ3TK4qbyQ//bpV6CkMGStgvA0eRD/X8gbyKc
VPpOJddYEpB2Kp54Tjypmq3H32KIDeRflzDeLaSUKL8B2quXCAkoCk0H0ZfgcCAd
FYlWih5ptS9RFwirW2TwKyHpd2KIygOo6i7D64m462e3s4P92mJEjInZvjTWMcmu
ww1Xx1WirmE9/U0E8EntYTbPcSLxvj3jRt4ltUg8DeQxxu/haEXv3D8kpPb6xMeC
Z58pFeWO/2i6lJAsgK6fNcFFJdt94JIG0jodfbxoXRbDeQpMEaUwwDYHW7IHolhn
e05Sou5YqQ03CJDM+jDM3S4g1EQ4EM0yTQkk6DVd7PG5X/umhg4PGRyvs9M3rCzI
IEGicli6yB0iW+nLEY7mAqGQlnFRX0W0QCvQksGZzq/L2KdkaurEthI40q7gJunX
7Ik+xyheU7Zqst/3AfGFKSnK2pYHhV8tW9Qa/TK2
=0lql
-----END PGP SIGNATURE-----