IM
IronMonkey Threat Research
‹ Back to ICS Advisories

SSA-794185: RADIUS Protocol Susceptible to Forgery Attacks (CVE-2024-3596) - Impact to SIPROTEC, SICAM and Related Products

CRITICAL
CVSS 9.0
Date 2026-06-09T00:00:00+00:00
Source siemens-productcert
Published by Siemens ProductCERT

// Description

This advisory documents the impact of CVE-2024-3596 (also dubbed "Blastradius"), a vulnerability in the RADIUS protocol, to SIPROTEC, SICAM and related products. The vulnerability could allow on-path attackers, located between a Network Access Server (the RADIUS client, e.g., a SICAM device) and a RADIUS server, to forge Access-Request packets in a way that enables them to modify the corresponding server response packet at will, e.g., turning an "Access-Reject" message into an "Access-Accept". This would cause the Network Access Server to grant the attackers access to the network with the attackers desired authorization (and without the need of knowing or guessing legitimate access credentials). Further details incl. external references can be found in the chapter "Additional Information". Siemens has released new versions for several affected products and recommends to update to the latest versions, and to configure the updated systems as recommended in the chapter "Additional Information". Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. See chapter "Additional Information" for details.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2024-3596 9.0 critical
CVE-2024-3596. RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify responses Access-Reject or Access-Accept using a chosen-prefix collision attack against MD5 Response Authenticator signature.

// Affected Products (345)

Vendor Product Asset Type Purdue Level Firmware
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --

// Remediations (85)

Mitigation: Hitachi Energy recommends implementing security practices and firewall configurations to help protec
Hitachi Energy recommends implementing security practices and firewall configurations to help protect process control networks from external attacks. Such practices include ensuring that process control systems are physically protected from unauthorized access, have no direct Internet connections, and are separated from other networks by a firewall system that minimizes exposed ports, and any additional ports should be evaluated on a case-by-case basis. Process control systems should not be used for web browsing, instant messaging, or email. Portable computers and removable storage media should be thoroughly scanned for malware before being connected to a control system. Organizations should enforce proper password policies and procedures.
Patch: Update to V2.50 or later version
Update to V2.50 or later version
Patch: Update to V16.51 or later version
Update to V16.51 or later version
Patch: Update to V2.70 or later version
Update to V2.70 or later version
Patch: Update to V9.83 or later version
Update to V9.83 or later version
Patch: Update to V6.20 or later version
Update to V6.20 or later version
Patch: Update to V2.83 or later version
Update to V2.83 or later version
Patch: Update to V2.20.0 or later version
Update to V2.20.0 or later version
Patch: Update to V10.0 or later version
Update to V10.0 or later version
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Patch: Update to V4.22 or later version
Update to V4.22 or later version
Patch: Update to V9.68 or later version
Update to V9.68 or later version
Patch: Update to V8.90 or later V8.xx version
Update to V8.90 or later V8.xx version
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
Patch: Update to V5.6 or later version
Update to V5.6 or later version
Patch: Update to V4.6 or later version
Update to V4.6 or later version
Patch: Update to V6.6.0 or later version
Update to V6.6.0 or later version
Patch: Update to V4.3.11 or later version
Update to V4.3.11 or later version
Patch: Update to V8.2 or later version
Update to V8.2 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to V5.10.0 or later version
Update to V5.10.0 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to V4.3.11 or later version
Update to V4.3.11 or later version
Patch: Update to V1.0 SP2 Update 4 or later version
Update to V1.0 SP2 Update 4 or later version
Patch: Update to V4.1.9 or later version
Update to V4.1.9 or later version
Patch: Update to V1.3 or later version
Update to V1.3 or later version
Patch: Update to V3.0.0 or later version
Update to V3.0.0 or later version
Patch: Update to V5.10.0 or later version
Update to V5.10.0 or later version
Patch: Update to V2.17.0 or later version
Update to V2.17.0 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to V8.2 or later version
Update to V8.2 or later version
Patch: Update to V6.6.0 or later version
Update to V6.6.0 or later version
Patch: Update to V4.1.9 or later version
Update to V4.1.9 or later version
Patch: Update to V3.0.0 or later version
Update to V3.0.0 or later version
Patch: Update to V4.3.11 or later version
Update to V4.3.11 or later version
Patch: Update to V1.0 SP2 Update 4 or later version
Update to V1.0 SP2 Update 4 or later version
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Patch: Update to V4.3.11 or later version
Update to V4.3.11 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to V5.10.0 or later version
Update to V5.10.0 or later version
Patch: Update to V1.3 or later version
Update to V1.3 or later version
Patch: Update to V4.6 or later version
Update to V4.6 or later version
Patch: Update to V2.17.0 or later version
Update to V2.17.0 or later version
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
Patch: Update to V5.6 or later version
Update to V5.6 or later version
Patch: Update to V1.0 SP2 Update 4 or later version
Update to V1.0 SP2 Update 4 or later version
Patch: Update to V5.10.0 or later version
Update to V5.10.0 or later version
Patch: Update to V3.2 or later version
Update to V3.2 or later version
Patch: Update to FOX61x R18, then enable the RADIUS Message-Authenticator option in both the FOX61x and RAD
Update to FOX61x R18, then enable the RADIUS Message-Authenticator option in both the FOX61x and RADIUS Server configurations. Refer to the Technical User Documentation at https://publisher.hitachienergy.com/preview?DocumentID=1KHW029042&LanguageCode=en&DocumentPartId=R18&Action=launch.
Mitigation: Enable the RADIUS Message-Authenticator option in both the FOX61x and RADIUS Server configurations.
Enable the RADIUS Message-Authenticator option in both the FOX61x and RADIUS Server configurations. Refer to the Technical User Documentation at https://publisher.hitachienergy.com/preview?DocumentID=1KHW029042&LanguageCode=en&DocumentPartId=R18&Action=launch.
Mitigation: If the upgrade is not possible, apply general mitigation factors with segmentation of FOX management
If the upgrade is not possible, apply general mitigation factors with segmentation of FOX management traffic to minimize the risk.
Mitigation: For more information, see the associated Hitachi Energy cybersecurity advisory 8DBD000225 Radius MD5
For more information, see the associated Hitachi Energy cybersecurity advisory 8DBD000225 Radius MD5 Vulnerability in Hitachi Energy FOX61x product at https://publisher.hitachienergy.com/preview?DocumentID=8DBD000225&LanguageCode=en or https://publisher.hitachienergy.com/preview?DocumentID=8DBD000225-CSAF&LanguageCode=en&DocumentPartId=&Action=Launch .
Patch: Update to XMC20 R18 and then enable the RADIUS Message-Authenticator option in both the XMC20 and RA
Update to XMC20 R18 and then enable the RADIUS Message-Authenticator option in both the XMC20 and RADIUS server configurations. Refer to the Technical User Documentation at https://publisher.hitachienergy.com/preview?DocumentID=1KHW029001&LanguageCode=en&DocumentPartId=R18&Action=launch.
Mitigation: Hitachi Energy recommends implementing security practices and firewall configurations to help protec
Hitachi Energy recommends implementing security practices and firewall configurations to help protect process control networks from external attacks. Such practices include ensuring that process control systems are physically protected from unauthorized access, have no direct Internet connections, and are separated from other networks by a firewall system that minimizes exposed ports, and any additional ports should be evaluated on a case-by-case basis. Process control systems should not be used for web browsing, instant messaging, or email. Portable computers and removable storage media should be thoroughly scanned for malware before being connected to a control system. Organizations should enforce proper password policies and procedures.
Mitigation: Enable the RADIUS Message-Authenticator option in both the XMC20 and RADIUS server configurations. R
Enable the RADIUS Message-Authenticator option in both the XMC20 and RADIUS server configurations. Refer to the Technical User Documentation at https://publisher.hitachienergy.com/preview?DocumentID=1KHW029001&LanguageCode=en&DocumentPartId=R18&Action=launch.
Mitigation: If the upgrade is not possible, apply general mitigation factors with segmentation of FOX management
If the upgrade is not possible, apply general mitigation factors with segmentation of FOX management traffic to minimize the risk.
Mitigation: For more information, see the associated Hitachi Energy cybersecurity advisory 8DBD000233 RADIUS MD5
For more information, see the associated Hitachi Energy cybersecurity advisory 8DBD000233 RADIUS MD5 Vulnerability in Hitachi Energy XMC20 product available in PDF format here https://publisher.hitachienergy.com/preview?DocumentID=8DBD000233&LanguageCode=en&DocumentPartId=&Action=launch or JSON format here https://publisher.hitachienergy.com/preview?DocumentID=8DBD000233-CSAF&LanguageCode=en&DocumentPartId=&Action=Launch.
Mitigation: For more information, see the associated Hitachi Energy PSIRT security advisory 8DBD000230 RADIUS vu
For more information, see the associated Hitachi Energy PSIRT security advisory 8DBD000230 RADIUS vulnerability in Hitachi Energy AFS, AFR and AFF series products.
Mitigation: All affected products: Set the RADIUS configuration to default which enables the RADIUS server messa
All affected products: Set the RADIUS configuration to default which enables the RADIUS server message authenticator option.
Patch: AFR 677, AFS 650, AFS 655, AFS 670, AFS 675, AFS 677: Command to enable Message Authenticator option
AFR 677, AFS 650, AFS 655, AFS 670, AFS 675, AFS 677: Command to enable Message Authenticator option: For AFS65x, AFS67x, AFR67x CLI: radius server msgauth MIB: hmAgentRadiusServerMsgAuth
Patch: AFF 660, AFF 665, AFS 660-B/C/S, AFS 665-B/S, AFS 670: Command to enable Message Authenticator optio
AFF 660, AFF 665, AFS 660-B/C/S, AFS 665-B/S, AFS 670: Command to enable Message Authenticator option: For AFS66x, AFS670 v2.0, AFF66x CLI: radius server auth modify msgauth MIB: hm2AgentRadiusServerMsgAuth
Mitigation: Hitachi Energy has identified the following recommended immediate actions:
Hitachi Energy has identified the following recommended immediate actions:
Patch: Update to V2.70 or later version
Update to V2.70 or later version
Patch: Update to V2.83 or later version
Update to V2.83 or later version
Patch: Update to V16.51 or later version
Update to V16.51 or later version
Patch: Update to V9.68 or later version
Update to V9.68 or later version
Patch: Update to V10.0 or later version
Update to V10.0 or later version
Patch: Update to V9.68 or later version
Update to V9.68 or later version
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
Patch: Update to V2.50 or later version
Update to V2.50 or later version
Patch: Update to V10.0 or later version
Update to V10.0 or later version
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Patch: Update to V6.20 or later version
Update to V6.20 or later version
Patch: Update to V8.90 or later V8.xx version
Update to V8.90 or later V8.xx version
Patch: Update to V9.83 or later version
Update to V9.83 or later version
Patch: Update to V10.0 or later version
Update to V10.0 or later version
Patch: Update to V2.20.0 or later version
Update to V2.20.0 or later version
Patch: Update Fortigate NGFW to V7.4.7. Contact customer support to receive patch and update information
Update Fortigate NGFW to V7.4.7. Contact customer support to receive patch and update information
Patch: Update Fortigate NGFW to V7.4.7. Contact customer support to receive patch and update information
Update Fortigate NGFW to V7.4.7. Contact customer support to receive patch and update information
Patch: Upgrade Palo Alto Networks Virtual NGFW V11.1.4-h1. Contact customer support to receive patch and up
Upgrade Palo Alto Networks Virtual NGFW V11.1.4-h1. Contact customer support to receive patch and update information
Mitigation: Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Acces
Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Mitigation: Customers can resolve this issue by configuring the in-use SSH profile to contain at least one ciphe
Customers can resolve this issue by configuring the in-use SSH profile to contain at least one cipher and at least one MAC algorithm, which removes support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. See Palo Alto Networks' upstream documentation https://security.paloaltonetworks.com/CVE-2023-48795 for additional guidance.
Mitigation: Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via m
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)

// References