Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
This bug has been filed to evaluate the product Identity Services Engine (ISE) against the vulnerability in the RADIUS protocol disclosed on July 7, 2024 known as BlastRADIUS: CVE-2024-3596 - RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS) This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3
This vulnerability impacts products only when configured to use the RADIUS protocol. <!-- For products operating as a RADIUS CLIENT or PROXY: For the PROXY please consider the side of it operating as a Client Indicate how customers can enable secure protocols (eg: UDP + DTLS, TCP + TLS / RadSec ). Indicate how customers can disable insecure protocols. Indicate how clients can be configured to require and validate a Message-Authenticator attribute on server responses Indicate how clients can be configured to include a Message-Authenticator attribute on Access-Request requests --> <!-- For products operating as a RADIUS SERVER or PROXY: For the PROXY please consider the side of it operating as a Server Indicate how customers can enable secure protocols (eg: UDP + DTLS, TCP + TLS / RadSec ). Indicate how customers can disable insecure protocols. Indicate how the server can be configured to require and validate a Message-Authenticator attribute on incoming access-request requests Indicate how the server can be configured to include a Message-Authenticator attribute on its responses. If applicable please also mention if the Message-Authenticator attribute would be included as first attribute directly after the RADIUS header and if some specific additional configuration is required to achieve this behavior. Indicate, if applicable, if the server can be configured to disable or limit echoing back data that is received from a client into a response. Eg: disable or size limit the echo back of Proxy-State attributes, disable or limit the inclusion of client provided data into the Reply-Message attribute. -->
Please see the following document for mitigation techniques: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222287-blast-radius-cve-2024-3596-protocol-sp.html As part of the fix to the Blast-Radius vulnerability, a new checkbox, 'Message-Authenticator Required On Response,' was added to the External RADIUS server, RADIUSToken ID store, and Device profile. If the checkbox is selected and Message-Authentication is missing from the response, ISE will invalidate the packet and fail the flow. Please go to the relevant pages and make sure the correct option for your environment is selected.
Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS scores as of the time of evaluation are 8.1: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html