This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
MVP Silver
MVP Silver
‎2024-07-09 12:38 PM
Jump to solution

Blast-RADIUS - CVE-2024-3596

https://www.blastradius.fail/

 

Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is a very common protocol used for authentication, authorization, and accounting (AAA) for networked devices on enterprise and telecommunication networks.

What can the attacker do?

The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials.

Who is affected?

Blast-RADIUS is a protocol vulnerability, and thus affects all RADIUS implementations using non-EAP authentication methods over UDP.

System administrators of networks using RADIUS should check with vendors for a patch against this vulnerability, and follow best practices for RADIUS configuration as discussed below. There is nothing that end users can do on their own to protect against this attack.

RADIUS is used in a wide variety of applications, including in enterprise networks to authenticate access to switches and other routing infrastructure, for VPN access, by ISPs for DSL and FTTH (Fiber to the Home), in 802.1X and Wi-Fi authentication, 2G and 3G cellular roaming and 5G DNN (Data Network Name) authentication, mobile Wi-Fi offload with SIM card-based authentication, private APN authentication, to authenticate access to critical infrastructure, and in the Eduroam and OpenRoaming wifi consortia.

What is the vulnerability?

The RADIUS protocol predates modern cryptographic guarantees and is typically unencrypted and unauthenticated. However, the protocol does attempt to authenticate server responses using an ad hoc construction based on the MD5 hash function and a fixed shared secret between a client and server.

Our attack combines a novel protocol vulnerability with an MD5 chosen-prefix collision attack and several new speed and space improvements. The attacker injects a malicious attribute into a request that causes a collision between the authentication information in the valid server response and the attacker’s desired forgery. This allows the attacker to turn a reject into an accept, and add arbitrary protocol attributes.

98 Replies
tjoll
Participant
Participant
‎2024-08-16 04:21 AM
In response to BeardedKeyboard
Jump to solution

No update because our ticket is closed. We've upgraded the environment to take 65 and installed the custom hotfix. I would suggest to open a case yourself and ask for a portfix. I'm also missing the fix in the upcoming JHF release.

0 Kudos
gg_fga
Contributor
‎2024-07-26 06:46 AM
In response to PhoneBoy
Jump to solution

@Amir_Ayalon 

Can Spark appliance users also get the same support as others?
Is a fix also planned for version R81.10.10?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-26 11:09 AM
In response to gg_fga
Jump to solution

I assume we will also roll out fixes for Quantum Spark as well.

0 Kudos
StefanM
Explorer
‎2024-08-26 05:39 AM
In response to gg_fga
Jump to solution

Any news for R81.10?

 

(1)
User88083582
Participant
‎2024-09-15 02:01 PM
In response to StefanM
Jump to solution

R81.10.15 is out.

https://support.checkpoint.com/results/sk/sk182438

this version already contains: "VPN Remote Access - RADIUS attribute to be ignored." and is set to ignore attribute 80

tested and works with fully updated NPS server.

0 Kudos
EY
Contributor
‎2024-10-22 06:26 PM
Jump to solution

I am uncertain whether R81.20 Take 89 fixes this issue for VPN connections, without ignoring attribute 80.  The release notes state "Resolved CVE-2024-3596 - Blast-RADIUS attacks for Gaia Portal and Gaia Clish", but nothing in regards to VPN.

The official SK (Check Point response to CVE-2024-3596 - Blast-RADIUS attack) is also lagging on updates.

0 Kudos
GHaider
Contributor
‎2024-10-22 11:05 PM
In response to EY
Jump to solution

nope, upgraded my gateways to JHF 89, tried to revert the attribute 80 to the default 0 value, vpn login with radius DID NOT work for me! (but i did not have my managment on JHF 89, when doing the test, must try again when all is on JHF 89)

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-23 06:02 AM
In response to EY
Jump to solution

There's a few places where the effects of Blast RADIUS need to be fixed.
One of them is in Gaia OS itself (specifically for access to Gaia Portal and clish).
Why Remote Access VPN is not explicitly listed in this SK, I cannot say, but I believe it would correspond to Identity Awareness.
In any case, I'll see if we can get this explicitly mentioned in the SK.

PhoneBoy
Admin
Admin
‎2024-11-12 12:44 PM
Jump to solution

R81.20 JHF 90 now supports Message Authenticator attributes in communication with RADIUS servers for all use cases (Gaia OS, Identity Awareness Portal, SmartConsole, Mobile Access Portal, Remote Access).
I assume similar fixes are also coming for other releases (R81, R81.10, and R82).

https://support.checkpoint.com/results/sk/sk182516 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events