Support Content Notification - Support Portal

Blast-RADIUS is a vulnerability that affects the RADIUS protocol (CVE-2024-3596)

Product/Component

Brocade Fabric OS

2 more products

Notification Id

25028

Last Updated

24 September 2024

Initial Publication Date

24 September 2024

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

6.5

WorkAround

Affected CVE

CVE-2024-3596

Brocade Security Advisory ID	BSA-2024-2632
Component	Radius Protocol

Summary

A vulnerability in the verification of RADIUS Response from a RADIUS server has been disclosed by a team of researchers from UC San Diego and their partners. An attacker, with access to the network where the RADIUS protocol is being transmitted, can spoof a UDP-based RADIUS Response packet to modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response, with almost any content, completely under the attackers control.

For additional information regarding this vulnerability, please see https://blastradius.fail.

Products Affected

All version of Brocade Fabric OS configured with no Transport Layer Security (TLS).
All versions of Brocade SANnav

Products Confirmed Not Affected

Brocade ASCG: [VEX Justification: Component_not_present]

Solution

Brocade Fabric OS is not vulnerable when configured to use PEAP-MSCHAPv2 which is a supported TLS channel mode. However, Brocade Fabric OS is vulnerable when configured to use RADIUS with PAP or CHAP. Brocade recommends customers to configure and use PEAP-MSCHAPv2 to avoid this vulnerability when using RADIUS.
- Note: Brocade Fabric OS Administration guide provides instruction on PEAP-MSCHAPv2 configuration. Please refer to section Appendix A: Setting Up the AAA Server Configuration. Brocade will deprecate CHAP and PAP for Radius and RSA over Radius in upcoming releases.
Brocade SANnav is vulnerable via PAP or CHAP when configured to use RADIUS. Brocade recommends to use alternative protocols, i.e. LDAP.

Revision History

Version	Change	Date
1.0	Initial Publication	2024-07-10
2.0	update on Brocade Fabric OS 10.0	2024-09-23

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.