Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

about CVE-2024-3596

This thread has been viewed 22 times
  • 1.  about CVE-2024-3596

    Posted Jul 29, 2024 02:41 AM

    Hi All

    ArubaOS 8 solution version estimated release on mid-September.

    I think it's been too long, and the risk level is certical!

    I see that workaround enable radsec, but I don't know this part very well

    have any suggestions on how to handle this.

    Thanks.



  • 2.  RE: about CVE-2024-3596

    Posted Jul 30, 2024 09:06 AM

    From the Aruba bulletin:

    Workaround 
    ========== 
    Network Operators who rely on the RADIUS protocol for device and/or     
    user authentication should update their software and configuration      
    to a secure form of the protocol for both clients and servers.          
    Where available, using EAP-TLS (assuming Message-Authenticator is       
    properly configured on the RADIUS server) or RadSec will mitigate the   
    vulnerability. This work around applies to all products.                
     
    In instances where product upgrades are not available,  
    network isolation and secure VPN tunnel communications should  
    be enforced for the RADIUS protocol to restrict access to these  
    network resources from untrusted sources.  
    

    RADIUS with the fix is still unencrypted and using weak cryptography. It has for years already been a (my) recommendation to run RADIUS only over trusted networks, where an attacker does not have access to. This attack requires a man-in-the-middle, which requires someone to be in the middle of the RADIUS traffic between network device and RADIUS server, which is a situation where I would not like to be in for the previously mentioned reasons.

    I would work with your Aruba partner and/or local Aruba SE to discuss the situation and find the best way forward, where abandoning (cleartext) RADIUS may be one of the scenarios to explore.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------