Security Advisory

A RADIUS Protocol vulnerability was published on July 9, 2024. RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can forge an authentication response in cases where a Message-Authenticator attribute is not required or enforced. This issue arises from a cryptographically insecure integrity check using MD5, enabling attackers to spoof UDP-based RADIUS response packets. This could allow an attacker to undermine the fundamental security mechanisms of RADIUS-based authentication systems.

The table below indicates releases of ACOS exposed to this vulnerability and ACOS releases that address them. ACOS release families not indicated below are unaffected by these vulnerabilities.

Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.

This vulnerability involves malicious or Man-In-The-Middle RADIUS servers for exploitation. Manage and configure ACOS devices for RADIUS authentication operations only with trusted RADIUS servers on trusted communication channels.

For ACOS 6.0.6, 5.2.1-P12 or 4.1.4-GR1-P14-SP1 and newer:

Enable the message authenticator attribute verification using the following config command:

ACOS(config)# radius-server message-authenticator-verify-enable

Software updates that address these vulnerabilities are or will be published at the following URL:

https://support.a10networks.com/

None

© Copyright 2025 A10 Networks, Inc. All Rights Reserved.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.