Re: Thales Mandatory Security Update - STA RADIUS ...

G_W_Albrecht

Customers and Partners for Thales have received the following notice recently:

Following the discovery of the RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS – CVE-2024-3596), the industry is moving towards stricter enforcement of the Message-Authenticator attribute (RADIUS Attribute 80) to ensure the integrity and authenticity of authentication packets.

In alignment with this, Thales will upgrade the STA RADIUS server to include the Message-Authenticator attribute in all RADIUS responses and challenges.

Details for CP products are found in sk182516: Check Point Response to CVE-2024-3596 - Blast-RADIUS attack

Still, there might be an issue during communication, see sk183244: RADIUS authentication fails after installing Jumbo Hotfix Accumulator

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Martin_Valenta

anyone from CP can say how it will be with Gaia Embedded ?

G_W_Albrecht

Done in sk182516:

For versions that do not contain the hotfix yet, or if you choose not to upgrade, follow one of these mitigations:

Use other and more secured authentication protocols, such as SAML or LDAPS.
or
If RADIUS authentication is still required, then as a best practice:
1. The RADIUS server should be on an isolated internal network with Anti-Spoofing enabled.
2. Follow the "Solution" steps in sk42184 to ignore the RADIUS attribute 80.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

Thales Mandatory Security Update - STA RADIUS Server to Enforce Message-Authenticator by July 31, 20