-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBNW04662 CVE: CVE-2024-3596 Publication Date: 2024-Jul-09 Last Updated: 2025-Jan-22 Status: Investigating Severity: Critical Revision: 6 Title ===== RADIUS Protocol Susceptible to Forgery Attacks Overview ======== A vulnerability in the RADIUS protocol may allow attackers to access sensitive network resources without authentication. Affected Products ============== HPE Aruba Networking - - EdgeConnect SD-WAN Gateway - All supported software releases (as of the publication date of this Security Advisory) - Please see the workaround section for mitigation advice - - EdgeConnect SD-WAN Orchestrator - All supported software releases (as of the publication date of this Security Advisory) - Please see the workaround section for mitigation advice - - Switches running AOS-CX - All supported software releases (as of the publication date of this Security Advisory) - Please see the workaround section for mitigation advice - - WLAN Gateways and SD-WAN Gateways running AOS-10 - AOS-10.6.0.2 and below - AOS-10.4.1.3 and below - - Mobility Controllers running AOS-8 - AOS-8.12.0.1 and below - AOS-8.10.0.13 and below - - Access Points running Instant AOS-8 and AOS-10 - All supported software releases (as of the publication date of this Security Advisory) - Please see the workaround section for mitigation advice - - Airwave Management Platform - 8.3.0.2 and below - - ClearPass Policy Manager - 6.12.1 and below - 6.11.8 and below - - Aruba Fabric Composer - 7.1.0 and below - - HPE Networking Instant On - Switch series 1930 and 1960 running firmware version 3.0.0.0 and below in local mode (cloud mode not vulnerable) using following authentication methods: AAA authentication MAC based authentication+ - Access Points running firmware version 3.0.0.0 and below Product versions that are end of life are affected by this vulnerability unless otherwise indicated. This advisory will be updated as further information becomes available. Unaffected Products =================== All other HPE Aruba Networking products that are not listed above are not affected by this vulnerability. Details ======= RADIUS protocol susceptible to forgery attacks (CVE-2024-3596) --------------------------------------------------------------------- A forgery attack has been discovered against the Response Authenticator in RADIUS/UDP, specifically targeting RFC 2865. This attack allows a man-in-the-middle to forge a valid Access-Accept response to a client request that was initially rejected by the RADIUS server, thereby granting unauthorized network access. The vulnerability exploits a chosen-prefix collision attack on MD5, manipulating the first byte and packet attributes of Access-Reject messages to match the Response Authenticator of a forged Access-Accept message. The attack requires appending a minimal amount of collision block gibberish to the Access-Request, which is then encapsulated in Proxy-State attributes and processed by the server, ensuring the computed Response Authenticator matches for both the legitimate Access-Reject and the forged Access-Accept. The attacker must have man-in-the-middle access between the RADIUS client and server and the ability to trigger an Access-Request. By predicting the Access-Reject response and computing an MD5 chosen-prefix collision (within 5 to 6 minutes, potentially faster with more resources), the attacker can modify the client request, remove any Message-Authenticator attributes if PAP authentication is used, and forge an Access-Accept response by copying the Response Authenticator from the Access-Reject response. This modified response, when sent to the client, grants the attacker unauthorized access to resources authenticated/authorized via RADIUS. Internal References: ATLWL-473, ATLCP-274, ATLAX-81, ATLAW-201, ATLSP-112, ATLSP-113, ATLWL-519 Severity: Critical CVSSv3.x Overall Score: 9.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl. Resolution ========= This vulnerability is fixed in the following HPE Aruba Networking products' software releases - - AirWave Management Platform - 8.3.0.3 and above - - ClearPass Policy Manager - 6.12.2 and above - 6.11.9 and above - In addition, the following steps need to be taken to enable the RADIUS Message-Authenticator on ClearPass Navigate to Administration > Server Manager > Server Configuration screen, select each server individually to enable Message-Authenticator support. On the server screen, navigate to "Service Parameters" tab, select the “Radius server” service. Under the Security header, modify the parameters Require Message-Authenticator from NAD = yes Require Message-Authenticator from Proxy Server = yes Save the changes. This will then restart the service with the requirement that the Message-Authenticator be transmitted, or the request will not be processed. - - Switches running AOS-CX - 10.14.1010 and above - 10.13.1040 and above - 10.10.1140 and above - - WLAN Gateways and SD-WAN Gateways running AOS-10 - AOS-10.6.0.3 and above - AOS-10.4.1.4 and above - - Mobility Controllers running AOS-8 - AOS-8.12.0.2 and above - AOS-8.10.0.14 and above - - Aruba Fabric Composer - 7.1.1 and above - - EdgeConnect SD-WAN Orchestrator - Use the following link to find instructions for addressing CVE-2024-3596: https://www.arubanetworks.com/techdocs/sdwan-PDFs/docs/advisories/or ch_resolution_to_cve-2024-3596_latest.pdf - - HPE Networking Instant On - Switch series 1930 and 1960 firmware version 3.1.0 for local mode - Upgrade Access Points firmware to version 3.1.0 and use option "Require RADIUS Message-Authenticator" if using an external guest portal. Software updates for this vulnerability fix in the other affected products are forthcoming. This advisory will be updated as details on the respective product’s software versions with this vulnerability fix become available. For more information about HPE Aruba Networking products End of Support policy visit: https://networkingsupport.hpe.com/end-of-life Final Resolution Pending ==================== HPE Aruba Networking - - EdgeConnect SD-WAN Gateway - - Aruba Access Points running Instant AOS-8 and AOS-10 These products are pending resolution. This advisory will be updated as more information becomes available. See the workaround section in this document for mitigation information. Workaround ========== Network Operators who rely on the RADIUS protocol for device and/or user authentication should update their software and configuration to a secure form of the protocol for both clients and servers. Where available, using EAP-TLS (assuming Message-Authenticator is properly configured on the RADIUS server) or RadSec will mitigate the vulnerability. This work around applies to all products. In instances where product upgrades are not available, network isolation and secure VPN tunnel communications should be enforced for the RADIUS protocol to restrict access to these network resources from untrusted sources. For assistance in implementing EAP-TLS or RadSec on individual products contact HPE Services – Aruba Networking for assistance. Exploitation and Public Discussion ================================== The original research paper this vulnerability is based on is accessible at https://www.blastradius.fail/pdf/radius.pdf Additionally, the IETF is working towards deprecating certain options in RADIUS. More information is accessible at https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-01 Revision History ================ Revision 1 / 2024-Jul-09 / Initial release Revision 2 / 2024-Jul-12 / Improvements to the Workaround, Affected Products, and Resolution Sections, Added Unaffected Products Revision 3 / 2024-Aug-30 / Added AFC to Affected Products and Resolution Sections Revision 4 / 2024-Oct-09 / Added Reference for Orchestrator in Resolution Revision 5 / 2024-Oct-09 / Minor formatting updates. Revision 6 / 2025-Jan-22 / Added HPE Networking Instant On to Affected Products and Resolution Sections HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a 00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmeGr/kXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE64ZmQv9FKJlub6oARiYgTsV5Q8zbGgw GOn7S1oDlMhjMahYDosI3T6GJr8JwILuCte5cB2xjH6ZIFGjgwKcxtbeY+nS4oTZ FZZDvkfHFcfoH/XyLC5BbpIa5ybUtYODQgnL+KG6VoP5HjtQYJbXEdS+ymPm7IH5 GIxmZ0rt3Cv6XEOqr6bCVVIgaqqWAR8bcv0TLALUJmtLo4bIdQVEcXbNROuSnF2T nrfKvwvwuPYKGO4ufwNUeMeohtCOz3lGAt90t3jwQJYkW3J27ZhsprEZ2joaZebE aURY31nit9zg6gzV6TaTDy9Yfxa1YIoYeBNQU8WU9vKUWIYx+5Eyo4V/ZQqPMspz sidPDfC92UyPPyvYC6c4/koYX6W6JFBU/6dHODYbVr7CT9dmGL+1bRIdcEpPilZU mmmmWCdnGNcGkUqm0Hh/PxC4T9GSrgOXwESmpaHWLDsoccRqiAjFwosPMLdJBS0+ iicSESp6LXP193q8R+zVHiWa5ofTVDNIPnAJpQcx =g80n -----END PGP SIGNATURE-----