CVE-2024-3596: FortiGate and Palo Alto Networks Firewall not Working with RADIUS Server Anymore after Upgrade

The problem is not limited to Fortinet or Palo Alto Networks software. Since the cause for the problem is a design flaw in the RADIUS protocol, this flaw affects most products using RADIUS for authentication or accounting.

The vulnerability

The vulnerability itself is documented under https://blastradius.fail/ and CVE-2024-3596. Please note, that not only Microsoft RADIUS is affected. Since this is a protocol design flaw, most of the RADIUS Servers are affected and need to be patched.

A vulnerability exists in the RADIUS protocol that potentially affects many products and implementations of the RFC 2865 in the UDP version of the RADIUS protocol. In brief, RADIUS protocol (RFC 2865) is susceptible to forgery attacks that can modify Access-Accept or Access-Reject RADIUS response. CERT/CC assigned a CVE ID for this vulnerability which all vendors are using for their affected products.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-3596

The reason that the RADIUS is not working anymore is, that the firewall software (or the network access server in general) has been upgraded and the RADIUS server is not yet. In this case the network access server rejects the connection to the server.

The solution

Upgrade your RADIUS server to a release that has CVE-2024-3596 fixed.

For the Microsoft NPS server, this is KB5040268.

Details for Fortinet products

On the FortiGate or FortiAnalyzer Admin GUI, the error message “Invalid secret for the server” is shown.

All cases show up after a FortiOS upgrade.

Fortinet has a community article specifically for Microsoft NPS server and a generic community article as well as a PSIRT article in place.

Details for Palo Alto Networks products

Palo Alto Networks has published a network security advisory.