This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Leader Leader
Leader
a week ago
Jump to solution

Blast-RADIUS - CVE-2024-3596

https://www.blastradius.fail/

 

Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is a very common protocol used for authentication, authorization, and accounting (AAA) for networked devices on enterprise and telecommunication networks.

What can the attacker do?

The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials.

Who is affected?

Blast-RADIUS is a protocol vulnerability, and thus affects all RADIUS implementations using non-EAP authentication methods over UDP.

System administrators of networks using RADIUS should check with vendors for a patch against this vulnerability, and follow best practices for RADIUS configuration as discussed below. There is nothing that end users can do on their own to protect against this attack.

RADIUS is used in a wide variety of applications, including in enterprise networks to authenticate access to switches and other routing infrastructure, for VPN access, by ISPs for DSL and FTTH (Fiber to the Home), in 802.1X and Wi-Fi authentication, 2G and 3G cellular roaming and 5G DNN (Data Network Name) authentication, mobile Wi-Fi offload with SIM card-based authentication, private APN authentication, to authenticate access to critical infrastructure, and in the Eduroam and OpenRoaming wifi consortia.

What is the vulnerability?

The RADIUS protocol predates modern cryptographic guarantees and is typically unencrypted and unauthenticated. However, the protocol does attempt to authenticate server responses using an ad hoc construction based on the MD5 hash function and a fixed shared secret between a client and server.

Our attack combines a novel protocol vulnerability with an MD5 chosen-prefix collision attack and several new speed and space improvements. The attacker injects a malicious attribute into a request that causes a collision between the authentication information in the valid server response and the attacker’s desired forgery. This allows the attacker to turn a reject into an accept, and add arbitrary protocol attributes.

67 Replies
Matt_Taber
Contributor
yesterday
In response to Duane_Toler
Jump to solution

I found a guide for setting up DUO for Infinity Portal administration, but struggling to find a doc for SmartConsole access.  Assumption would be to create a new IDP (which is a new option that I don't recall seeing before in SmartConsole.)

I'll do some digging, thank you for this suggestion.

 
 

 

 

0 Kudos
Duane_Toler
Advisor
yesterday
In response to Matt_Taber
Jump to solution

You'll setup a new Identity Provider object in SmartConsole, and choose the radio button "Managing administrator access".  Setup the matching SAML application in Azure/Entra AD, enter those Entity ID and Reply URLs, download the metadata file from Azure, upload to the IdP object.

Edit, or create, a management user, change authentication type to Identity Provider, select the IdP for management access, publish, then test it.

Open SmartConsole, and change the login type to Identity Provider.

 

 

 

 

Preview file
186 KB
Preview file
173 KB
0 Kudos
the_rock
Legend
Legend
yesterday
In response to Duane_Toler
Jump to solution

You got it:)

Andy

 

Screenshot_1.png

0 Kudos
PhoneBoy
Admin
Admin
yesterday
Jump to solution

There's now an official SK on this: https://support.checkpoint.com/results/sk/sk182516
Basically:

  • Exploiting this CVE requires MITM between the gateway and the RADIUS Server.
  • If you have to use RADIUS instead of changing to a different authentication method, ensure your RADIUS server is deployed on an isolated network with anti-spoofing enabled.
  • We plan fixes for the CVE in upcoming Jumbo Hotfixes.
Duane_Toler
Advisor
yesterday
In response to PhoneBoy
Jump to solution

Ahhh! That's right, SmartConsole now has option for SAML/IdP!  That's so recent that it slipped my mind.

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to Duane_Toler
Jump to solution

Yes as of R81.20 🙂

tavi0906
Participant
yesterday
In response to PhoneBoy
Jump to solution

In the SK its mentioned, Check Point plans to provide a fix in the upcoming Jumbo Hotfix Accumulator package for all supported versions.

My question is >

if we were to take the approach of changing the authentication method for the versions that are not supported, do we still require to install the hotfix?

if we are to install the mentioned hotfix, would it still be required to change the Authentication method? 

 

 

the_rock
Legend
Legend
2 hours ago
In response to tavi0906
Jump to solution

Very good questions indeed @tavi0906 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events