PSIRTRADIUS Protocol CVE-2024-3596
Summary
A fundamental design flaw within the RADIUS protocol has been proven to be exploitable, compromising the integrity in the RADIUS Access-Request process. The attack allows a malicious user to modify packets in a way that would be indistinguishable to a RADIUS client or server. To be successful, the attacker must have the ability to inject themselves between the client and server.
| Version | Affected | Solution |
|---|---|---|
| FortiADC 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiADC 7.4 | 7.4.0 through 7.4.5 | Upgrade to 7.4.6 or above |
| FortiADC 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiADC 7.1 | 7.1 all versions | Migrate to a fixed release |
| FortiADC 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiADC 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiADC 6.1 | 6.1 all versions | Migrate to a fixed release |
| FortiADC 6.0 | 6.0 all versions | Migrate to a fixed release |
| FortiAnalyzer 7.6 | 7.6.0 | Upgrade to 7.6.2 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.5 | Upgrade to 7.4.6 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.9 | Upgrade to 7.2.10 or above |
| FortiAnalyzer 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiAnalyzer 6.4 | Not affected | Not Applicable |
| FortiAuthenticator 7.0 | Not affected | Not Applicable |
| FortiAuthenticator 6.6 | 6.6.0 through 6.6.2 | Upgrade to 6.6.3 or above |
| FortiAuthenticator 6.5 | 6.5.0 through 6.5.5 | Upgrade to 6.5.6 or above |
| FortiAuthenticator 6.4 | 6.4.0 through 6.4.9 | Upgrade to 6.4.10 or above |
| FortiAuthenticator 6.3 | Not affected | Not Applicable |
| FortiAuthenticator 6.2 | Not affected | Not Applicable |
| FortiAuthenticator 6.1 | Not affected | Not Applicable |
| FortiGuest 2.0 | Not affected | Not Applicable |
| FortiGuest 1.3 | 1.3.0 | Upgrade to 1.3.1 or above |
| FortiGuest 1.2 | 1.2.0 through 1.2.1 | Upgrade to 1.2.2 or above |
| FortiGuest 1.1 | 1.1 all versions | Migrate to a fixed release |
| FortiGuest 1.0 | 1.0 all versions | Migrate to a fixed release |
| FortiManager 7.6 | 7.6.0 through 7.6.1 | Upgrade to 7.6.2 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.5 | Upgrade to 7.4.6 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.9 | Upgrade to 7.2.10 or above |
| FortiManager 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiManager 6.4 | Not affected | Not Applicable |
| FortiOS 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.5 | Upgrade to 7.4.6 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiOS 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiOS 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiProxy 7.6 | Not affected | Not Applicable |
| FortiProxy 7.4 | 7.4.0 through 7.4.5 | Upgrade to 7.4.6 or above |
| FortiProxy 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiProxy 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiProxy 2.0 | Not affected | Not Applicable |
| FortiSandbox 5.0 | 5.0.0 | Upgrade to 5.0.1 or above |
| FortiSandbox 4.4 | 4.4.0 through 4.4.6 | Upgrade to 4.4.7 or above |
| FortiSandbox 4.2 | 4.2 all versions | Migrate to a fixed release |
| FortiSandbox 4.0 | 4.0 all versions | Migrate to a fixed release |
| FortiSandbox 3.2 | Not affected | Not Applicable |
| FortiSwitch 7.6 | Not affected | Not Applicable |
| FortiSwitch 7.4 | 7.4.0 | Upgrade to 7.4.1 or above |
| FortiSwitch 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
| FortiSwitch 7.0 | 7.0.0 through 7.0.7 | Upgrade to 7.0.8 or above |
| FortiSwitch 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiWeb 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiWeb 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiWeb 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiWeb 6.4 | Not affected | Not Applicable |
Products Under Investigation:
- FortiAnalyzer BigData
- FortiMail
- FortiSASE
- FortiSIEM
- FortiConnect
- FortiDDoS
- FortiNAC
- FortiNDR
- FortiPortal
- FortiRecorder
- FortiVoice
- FortiWLC
- FortiPAM
Products NOT Impacted:
- FortiClient(Windows, Linux, Mac, etc.)
- FortiClientEMS
- FortiAP
Mitigations:
Use RADIUS over TLS (aka RADSEC). The current products and versions supporting RADSEC are:
FortiOS versions 7.4.0 or newer
FortiAuthenticator versions 6.2.0 or newer
Timeline
2024-08-13: Initial publication2024-08-14: Updating products under investigation
2024-11-12: Adding FortiProxy fixed versions
2025-01-14: adding FortiGuest and FortiADC to published
2025-03-06: adding products with all GA's released
2025-03-14: Removing products with entries in advisory table from 'Under Investigation'
2025-04-23: updating product information
2025-07-10: Adding additional product remediation methods