IM
IronMonkey Threat Research
‹ Back to ICS Advisories

Schneider Electric Modicon Network Managed Switches

CRITICAL
CVSS 9.0
Date 2026-06-09T06:00:00+00:00
Source cisa-csaf
Published by CISA

// Description

We strongly recommend the following industry cybersecurity best practices. * Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. * Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. * Place all controllers in locked cabinets and never leave them in the “Program” mode. * Never connect programming software to any network other than the network intended for that device. * Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. * Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. * Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. For more information refer to the Schneider Electric [Recommended Cybersecurity Best Practices](https://www.se.com/us/en/download/document/7EN52-0390/) document.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2024-3596 9.0 critical
CVE-2024-3596. Additional information about CVE-2024-3596 can be found here:https://www.cve.org/CVERecord?id=CVE-2024-3596

// Affected Products (348)

Vendor Product Asset Type Purdue Level Firmware
Siemens Unknown network_device -- --
Schneider Electric Unknown network_device -- --
Schneider Electric Unknown plc
L1
--
Schneider Electric Unknown plc
L1
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --

// Remediations (88)

Mitigation: Hitachi Energy recommends implementing security practices and firewall configurations to help protec
Hitachi Energy recommends implementing security practices and firewall configurations to help protect process control networks from external attacks. Such practices include ensuring that process control systems are physically protected from unauthorized access, have no direct Internet connections, and are separated from other networks by a firewall system that minimizes exposed ports, and any additional ports should be evaluated on a case-by-case basis. Process control systems should not be used for web browsing, instant messaging, or email. Portable computers and removable storage media should be thoroughly scanned for malware before being connected to a control system. Organizations should enforce proper password policies and procedures.
Mitigation: The default RADIUS configuration is not vulnerable. However, if the RADIUS Server Message Authentica
The default RADIUS configuration is not vulnerable. However, if the RADIUS Server Message Authenticator option is disabled, the product becomes vulnerable.We advise keeping this parameter in its default (enabled) state.This parameter can be configured via CLI and SNMP:MCSESM*, MCSESP* CLI: radius server auth modify <index> msgauth MIB: hm2AgentRadiusServerMsgAuth
Mitigation: The default RADIUS configuration is not vulnerable. However, if the RADIUS Server Message Authentica
The default RADIUS configuration is not vulnerable. However, if the RADIUS Server Message Authenticator option is disabled, the product becomes vulnerable.We advise keeping this parameter in its default (enabled) state.This parameter can be configured via CLI and SNMP:MCSESR* CLI: radius server auth modify <index> msgauth MIB: hm2AgentRadiusServerMsgAuth
Mitigation: The default RADIUS configuration is not vulnerable. However, if the RADIUS Server Message Authentica
The default RADIUS configuration is not vulnerable. However, if the RADIUS Server Message Authenticator option is disabled, the product becomes vulnerable.We advise keeping this parameter in its default (enabled) state.This parameter can be configured via CLI and SNMP:TCSESM* CLI: radius server msgauthMIB: hmAgentRadiusServerMsgAuth
Patch: Update to V2.50 or later version
Update to V2.50 or later version
Patch: Update to V16.51 or later version
Update to V16.51 or later version
Patch: Update to V2.70 or later version
Update to V2.70 or later version
Patch: Update to V9.83 or later version
Update to V9.83 or later version
Patch: Update to V6.20 or later version
Update to V6.20 or later version
Patch: Update to V2.83 or later version
Update to V2.83 or later version
Patch: Update to V2.20.0 or later version
Update to V2.20.0 or later version
Patch: Update to V10.0 or later version
Update to V10.0 or later version
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Patch: Update to V4.22 or later version
Update to V4.22 or later version
Patch: Update to V9.68 or later version
Update to V9.68 or later version
Patch: Update to V8.90 or later V8.xx version
Update to V8.90 or later V8.xx version
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
Patch: Update to V5.6 or later version
Update to V5.6 or later version
Patch: Update to V4.6 or later version
Update to V4.6 or later version
Patch: Update to V6.6.0 or later version
Update to V6.6.0 or later version
Patch: Update to V4.3.11 or later version
Update to V4.3.11 or later version
Patch: Update to V8.2 or later version
Update to V8.2 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to V5.10.0 or later version
Update to V5.10.0 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to V4.3.11 or later version
Update to V4.3.11 or later version
Patch: Update to V1.0 SP2 Update 4 or later version
Update to V1.0 SP2 Update 4 or later version
Patch: Update to V4.1.9 or later version
Update to V4.1.9 or later version
Patch: Update to V1.3 or later version
Update to V1.3 or later version
Patch: Update to V3.0.0 or later version
Update to V3.0.0 or later version
Patch: Update to V5.10.0 or later version
Update to V5.10.0 or later version
Patch: Update to V2.17.0 or later version
Update to V2.17.0 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to V8.2 or later version
Update to V8.2 or later version
Patch: Update to V6.6.0 or later version
Update to V6.6.0 or later version
Patch: Update to V4.1.9 or later version
Update to V4.1.9 or later version
Patch: Update to V3.0.0 or later version
Update to V3.0.0 or later version
Patch: Update to V4.3.11 or later version
Update to V4.3.11 or later version
Patch: Update to V1.0 SP2 Update 4 or later version
Update to V1.0 SP2 Update 4 or later version
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Patch: Update to V4.3.11 or later version
Update to V4.3.11 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to V5.10.0 or later version
Update to V5.10.0 or later version
Patch: Update to V1.3 or later version
Update to V1.3 or later version
Patch: Update to V4.6 or later version
Update to V4.6 or later version
Patch: Update to V2.17.0 or later version
Update to V2.17.0 or later version
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
Patch: Update to V5.6 or later version
Update to V5.6 or later version
Patch: Update to V1.0 SP2 Update 4 or later version
Update to V1.0 SP2 Update 4 or later version
Patch: Update to V5.10.0 or later version
Update to V5.10.0 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to FOX61x R18, then enable the RADIUS Message-Authenticator option in both the FOX61x and RAD
Update to FOX61x R18, then enable the RADIUS Message-Authenticator option in both the FOX61x and RADIUS Server configurations. Refer to the Technical User Documentation at https://publisher.hitachienergy.com/preview?DocumentID=1KHW029042&LanguageCode=en&DocumentPartId=R18&Action=launch.
Mitigation: Enable the RADIUS Message-Authenticator option in both the FOX61x and RADIUS Server configurations.
Enable the RADIUS Message-Authenticator option in both the FOX61x and RADIUS Server configurations. Refer to the Technical User Documentation at https://publisher.hitachienergy.com/preview?DocumentID=1KHW029042&LanguageCode=en&DocumentPartId=R18&Action=launch.
Mitigation: If the upgrade is not possible, apply general mitigation factors with segmentation of FOX management
If the upgrade is not possible, apply general mitigation factors with segmentation of FOX management traffic to minimize the risk.
Mitigation: For more information, see the associated Hitachi Energy cybersecurity advisory 8DBD000225 Radius MD5
For more information, see the associated Hitachi Energy cybersecurity advisory 8DBD000225 Radius MD5 Vulnerability in Hitachi Energy FOX61x product at https://publisher.hitachienergy.com/preview?DocumentID=8DBD000225&LanguageCode=en or https://publisher.hitachienergy.com/preview?DocumentID=8DBD000225-CSAF&LanguageCode=en&DocumentPartId=&Action=Launch .
Patch: Update to XMC20 R18 and then enable the RADIUS Message-Authenticator option in both the XMC20 and RA
Update to XMC20 R18 and then enable the RADIUS Message-Authenticator option in both the XMC20 and RADIUS server configurations. Refer to the Technical User Documentation at https://publisher.hitachienergy.com/preview?DocumentID=1KHW029001&LanguageCode=en&DocumentPartId=R18&Action=launch.
Mitigation: Hitachi Energy recommends implementing security practices and firewall configurations to help protec
Hitachi Energy recommends implementing security practices and firewall configurations to help protect process control networks from external attacks. Such practices include ensuring that process control systems are physically protected from unauthorized access, have no direct Internet connections, and are separated from other networks by a firewall system that minimizes exposed ports, and any additional ports should be evaluated on a case-by-case basis. Process control systems should not be used for web browsing, instant messaging, or email. Portable computers and removable storage media should be thoroughly scanned for malware before being connected to a control system. Organizations should enforce proper password policies and procedures.
Mitigation: Enable the RADIUS Message-Authenticator option in both the XMC20 and RADIUS server configurations. R
Enable the RADIUS Message-Authenticator option in both the XMC20 and RADIUS server configurations. Refer to the Technical User Documentation at https://publisher.hitachienergy.com/preview?DocumentID=1KHW029001&LanguageCode=en&DocumentPartId=R18&Action=launch.
Mitigation: If the upgrade is not possible, apply general mitigation factors with segmentation of FOX management
If the upgrade is not possible, apply general mitigation factors with segmentation of FOX management traffic to minimize the risk.
Mitigation: For more information, see the associated Hitachi Energy cybersecurity advisory 8DBD000233 RADIUS MD5
For more information, see the associated Hitachi Energy cybersecurity advisory 8DBD000233 RADIUS MD5 Vulnerability in Hitachi Energy XMC20 product available in PDF format here https://publisher.hitachienergy.com/preview?DocumentID=8DBD000233&LanguageCode=en&DocumentPartId=&Action=launch or JSON format here https://publisher.hitachienergy.com/preview?DocumentID=8DBD000233-CSAF&LanguageCode=en&DocumentPartId=&Action=Launch.
Mitigation: For more information, see the associated Hitachi Energy PSIRT security advisory 8DBD000230 RADIUS vu
For more information, see the associated Hitachi Energy PSIRT security advisory 8DBD000230 RADIUS vulnerability in Hitachi Energy AFS, AFR and AFF series products.
Mitigation: All affected products: Set the RADIUS configuration to default which enables the RADIUS server messa
All affected products: Set the RADIUS configuration to default which enables the RADIUS server message authenticator option.
Patch: AFR 677, AFS 650, AFS 655, AFS 670, AFS 675, AFS 677: Command to enable Message Authenticator option
AFR 677, AFS 650, AFS 655, AFS 670, AFS 675, AFS 677: Command to enable Message Authenticator option: For AFS65x, AFS67x, AFR67x CLI: radius server msgauth MIB: hmAgentRadiusServerMsgAuth
Patch: AFF 660, AFF 665, AFS 660-B/C/S, AFS 665-B/S, AFS 670: Command to enable Message Authenticator optio
AFF 660, AFF 665, AFS 660-B/C/S, AFS 665-B/S, AFS 670: Command to enable Message Authenticator option: For AFS66x, AFS670 v2.0, AFF66x CLI: radius server auth modify msgauth MIB: hm2AgentRadiusServerMsgAuth
Mitigation: Hitachi Energy has identified the following recommended immediate actions:
Hitachi Energy has identified the following recommended immediate actions:
Patch: Update to V2.70 or later version
Update to V2.70 or later version
Patch: Update to V2.83 or later version
Update to V2.83 or later version
Patch: Update to V16.51 or later version
Update to V16.51 or later version
Patch: Update to V9.68 or later version
Update to V9.68 or later version
Patch: Update to V10.0 or later version
Update to V10.0 or later version
Patch: Update to V9.68 or later version
Update to V9.68 or later version
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
Patch: Update to V2.50 or later version
Update to V2.50 or later version
Patch: Update to V10.0 or later version
Update to V10.0 or later version
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Patch: Update to V6.20 or later version
Update to V6.20 or later version
Patch: Update to V8.90 or later V8.xx version
Update to V8.90 or later V8.xx version
Patch: Update to V9.83 or later version
Update to V9.83 or later version
Patch: Update to V10.0 or later version
Update to V10.0 or later version
Patch: Update to V2.20.0 or later version
Update to V2.20.0 or later version
Patch: Update Fortigate NGFW to V7.4.7. Contact customer support to receive patch and update information
Update Fortigate NGFW to V7.4.7. Contact customer support to receive patch and update information
Patch: Update Fortigate NGFW to V7.4.7. Contact customer support to receive patch and update information
Update Fortigate NGFW to V7.4.7. Contact customer support to receive patch and update information
Patch: Upgrade Palo Alto Networks Virtual NGFW V11.1.4-h1. Contact customer support to receive patch and up
Upgrade Palo Alto Networks Virtual NGFW V11.1.4-h1. Contact customer support to receive patch and update information
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Mitigation: Customers can resolve this issue by configuring the in-use SSH profile to contain at least one ciphe
Customers can resolve this issue by configuring the in-use SSH profile to contain at least one cipher and at least one MAC algorithm, which removes support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. See Palo Alto Networks' upstream documentation https://security.paloaltonetworks.com/CVE-2023-48795 for additional guidance.
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)

// References