topic Re: Thales Mandatory Security Update - STA RADIUS Server to Enforce Message-Authenticator by July 31 in General Topics

Thales Mandatory Security Update - STA RADIUS Server to Enforce Message-Authenticator by July 31, 20

G_W_Albrecht — Wed, 04 Jun 2025 13:12:59 GMT

Customers and Partners for Thales have received the following notice recently:

Following the discovery of the RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS – CVE-2024-3596), the industry is moving towards stricter enforcement of the Message-Authenticator attribute (RADIUS Attribute 80) to ensure the integrity and authenticity of authentication packets.

In alignment with this, Thales will upgrade the STA RADIUS server to include the Message-Authenticator attribute in all RADIUS responses and challenges.

Details for CP products are found in sk182516: Check Point Response to CVE-2024-3596 - Blast-RADIUS attack

Still, there might be an issue during communication, see sk183244: RADIUS authentication fails after installing Jumbo Hotfix Accumulator

Re: Thales Mandatory Security Update - STA RADIUS Server to Enforce Message-Authenticator by July 31

Martin_Valenta — Thu, 05 Jun 2025 09:53:19 GMT

anyone from CP can say how it will be with Gaia Embedded ?

Re: Thales Mandatory Security Update - STA RADIUS Server to Enforce Message-Authenticator by July 31

G_W_Albrecht — Tue, 10 Jun 2025 07:17:25 GMT

Done in sk182516:

For versions that do not contain the hotfix yet, or if you choose not to upgrade, follow one of these mitigations:

Use other and more secured authentication protocols, such as SAML or LDAPS.
or
If RADIUS authentication is still required, then as a best practice:
1. The RADIUS server should be on an isolated internal network with Anti-Spoofing enabled.
2. Follow the "Solution" steps in sk42184 to ignore the RADIUS attribute 80.