This advisory is for organizations that use RADIUS for authentication within their environment. If your organization does not use RADIUS, this notification may be discarded.
Summary
RADIUS, short for Remote Authentication Dial-In User Service, is a client/server protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS traffic is typically transmitted via UDP using encryption based on the MD5 standard. MD5 is a hashing method which is trivial for adversaries to break using collision attacks. This allows RADIUS Access-Request packets to be subject to a chosen prefix attack and permits an attacker to modify the response packet and authenticate to local devices or services using RADIUS. This vulnerability could be leveraged by an attacker to conduct MiTM attacks against RADIUS packets being sent over the internet, or to conduct trivial privilege escalation if they gain initial access to a network.
This attack was evaluated by CloudFlare and has not been seen in the wild.
CVE-2024-3596: CVSSv3.1: Rated by Microsoft as 7.5 (not yet rated by NVD)
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker
Mitigations
- Transition to RADIUS over TLS – RADSEC
- Short-term mitigation for implementers and vendors is to mandate that clients and servers always send and require Message-Authenticator attributes for all requests and responses. For Access-Accept or Access-Reject responses, the Message-Authenticator should be included as the first attribute. Researchers note that this mitigation has been implemented by all RADIUS patches that they are aware of. This guidance is being put into an upcoming RADIUS RFC.
- Observe the best practice of not sending RADIUS/UDP or RADIUS/TCP traffic in the clear over the public Internet. On internal networks, a best practice is to isolate RADIUS traffic in a restricted-access management VLAN or to tunnel it over TLS or IPsec.
- Ensure that all mitigations are researched and tested for the applicable environment before fully implementing.
Additional Resources
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3596
https://blog.cloudflare.com/radius-udp-vulnerable-md5-attack
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-3596
https://support.microsoft.com/en-us/topic/kb5040268-how-to-manage-the-access-request-packets-attack-vulnerability-associated-with-cve-2024-3596-a0e2f0b1-f200-4a7b-844f-48d1d5ab9e66
https://nvd.nist.gov/vuln/detail/CVE-2024-3596
