Skip to content
Uniqcli

"Juniper Junos OS CVE-2024-3596 (Blast-RADIUS): RADIUS Auth Bypass in Subscriber Management"

NewsUniqcli TeamJune 7, 20267 min read
"Juniper Junos OS CVE-2024-3596 (Blast-RADIUS): RADIUS Auth Bypass in Subscriber Management"

Blast-RADIUS is a protocol-level weakness in RADIUS itself, not a single vendor bug. Juniper has confirmed that Junos OS and Junos OS Evolved are affected where RADIUS is used for subscriber management, and has shipped fixes plus a built-in mitigation. This post explains what is actually at risk, the versions to move to, and how to confirm whether your devices are exposed.

What happened

In July 2024, researchers disclosed Blast-RADIUS, assigned CVE-2024-3596. The flaw is in the RADIUS protocol as defined in RFC 2865: a RADIUS authenticator value is protected only by an MD5 hash. An on-path (man-in-the-middle) attacker who can intercept RADIUS traffic between a network access server (the RADIUS client) and the RADIUS server can use a chosen-prefix MD5 collision to forge a server response. In practice, that means turning an Access-Reject into an Access-Accept (or modifying Access-Challenge) without knowing the shared secret or any user password.

Because this is a protocol issue, it affects many vendors and many RADIUS implementations. Juniper published a coordinated out-of-cycle advisory in 2024 covering multiple products, and a specific 2025-07 bulletin addressing the subscriber management RADIUS path in Junos OS and Junos OS Evolved — the deployment pattern most relevant to broadband network gateway (BNG) and large access-aggregation environments.

The condition that makes a device exploitable is the absence of the RADIUS Message-Authenticator attribute enforcement. When that attribute is required on responses, the forgery technique does not work.

Affected products and versions

The Junos OS subscriber-management fix is delivered in the releases below. Devices running RADIUS for subscriber management on earlier releases are affected.

Product Affected Fixed
Junos OS (subscriber mgmt) Versions before 21.4R3-S11 21.4R3-S11
Junos OS 22.2 before 22.2R3-S7 22.2R3-S7
Junos OS 22.4 before 22.4R3-S7 22.4R3-S7
Junos OS 23.2 before 23.2R2-S4 23.2R2-S4
Junos OS 23.4 before 23.4R2-S5 23.4R2-S5
Junos OS 24.2 before 24.2R2-S1 24.2R2-S1
Junos OS 24.4 before 24.4R1-S3 / 24.4R2 24.4R1-S3, 24.4R2, 25.2R1 and later
Junos OS Evolved 23.4-EVO before 23.4R2-S5-EVO 23.4R2-S5-EVO
Junos OS Evolved 24.2-EVO before 24.2R2-S1-EVO 24.2R2-S1-EVO
Junos OS Evolved 24.4-EVO before 24.4R1-S3-EVO / 24.4R2-EVO 24.4R1-S3-EVO, 24.4R2-EVO, 25.1R1-EVO and later

Note: the broader Blast-RADIUS issue touches additional Juniper products (for example Mist and other platforms that act as RADIUS clients) covered by Juniper's separate 2024 out-of-cycle advisory. This table reflects the subscriber-management bulletin specifically. Always confirm the exact fixed build for your platform and train against Juniper's advisory before scheduling an upgrade.

How serious is it

The National Vulnerability Database assigns CVE-2024-3596 a CVSS 3.1 base score of 9.0 (Critical), with vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The "high attack complexity" reflects the prerequisites: the attacker must be positioned on the network path between the RADIUS client and server and must compute an MD5 collision within the request window. It is not a remote, point-and-click exploit. But where it succeeds, the impact is authentication bypass — an attacker can be granted access they should have been denied.

On exploitation status: as of this writing, CVE-2024-3596 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and we found no credible reporting of in-the-wild exploitation. The original research team described a proof-of-concept that was kept private. Treat this as a serious flaw to remediate on a planned basis — not an emergency zero-day, but not one to leave indefinitely on the to-do list either, especially on infrastructure that authenticates large subscriber or user populations.

Am I exposed?

Work through these questions:

  • Do you run Junos OS or Junos OS Evolved on a release older than the fixed builds above? If yes, you are potentially in scope.
  • Do those devices use RADIUS for subscriber management / BNG? This bulletin is specifically about that path. (If you use RADIUS elsewhere in Junos or on other Juniper products, check Juniper's broader 2024 Blast-RADIUS advisory as well.)
  • Is RADIUS traffic carried in cleartext UDP across any segment an attacker could reach? RADIUS between a NAS and server traversing untrusted or shared transport is the realistic attack surface. RADIUS confined to a hardened, isolated management segment is lower risk — but should still be patched.
  • Is Message-Authenticator enforcement already in place? Devices that require the Message-Authenticator attribute on responses are protected against the forgery technique even before patching.

If RADIUS authentication is central to how your network grants access — service provider BNG, large campus, or any subscriber-facing edge — assume you need to act and verify version by version.

How to fix it

Patch to a fixed release. Upgrade affected devices to the corresponding fixed Junos OS or Junos OS Evolved build listed above (or a later release). The fixed releases introduce a message-authenticator configuration parameter under RADIUS server settings that is enabled by default, enforcing validation of the Message-Authenticator attribute on RADIUS responses. This is the durable remediation.

Interim mitigations if you cannot patch immediately:

  • Enforce Message-Authenticator end to end. Configure both the RADIUS client (Junos) and the RADIUS server to require the Message-Authenticator attribute on all requests and responses. This is the protocol-level defense the researchers recommend and is what the patch enforces by default.
  • Encrypt the RADIUS transport. Where supported, use RADIUS over TLS (RADSEC) so RADIUS exchanges are no longer carried as forgeable cleartext UDP. An attacker who cannot read or tamper with the exchange cannot mount the collision attack.
  • Segment and restrict RADIUS paths. Keep RADIUS traffic on a dedicated, tightly controlled management network with no exposure to user or untrusted segments, reducing the opportunity for an on-path attacker.

Confirm your RADIUS server software is also patched and configured to send/require Message-Authenticator; this is a two-sided fix and patching only the Junos side is not sufficient if the server still omits the attribute.

How Uniqcli helps

Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller serving US federal, SLED, healthcare, and enterprise customers. For CVE-2024-3596 we can help you:

  • Assess exposure across your Juniper estate — identify which MX, BNG, and other Junos OS / Junos OS Evolved devices run affected releases and use RADIUS for subscriber management, and confirm whether Message-Authenticator enforcement is already in place.
  • Plan and support the upgrade to fixed Junos releases, including maintenance-window sequencing for subscriber-facing edge devices where uptime matters.
  • Source patched or replacement hardware when a device is at end of support, undersized for a current train, or needs refresh as part of remediation.
  • Procure through your contract vehicle — TAA-compliant hardware available via GSA, NASA SEWP, and other federal and SLED pathways, with authorized warranty and genuine parts.

If RADIUS underpins access control on your network, contact Uniqcli to scope an exposure assessment and a remediation plan.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL