CVE-2024-3596: RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.

First published: Wed Feb 07 2024(Updated: )

Affected Vendor IETF Every vendor who implements a product supporting RADIUS Affected Product RFC 2865 Affected Version RFC 2865 Significant ICS/OT impact? no Reporter Nadia Heninger [nadiah.edu] University of California San Diego Vendor contacted? yes We have reached out to the IETF. This vulnerability will affect a large number of vendors and we have not reached out to any individual vendors yet. Description We have an efficient forgery attack against the Response Authenticator used to authenticate RADIUS server Access-Accept or Access-Reject messages. This is a protocol vulnerability against RFC 2865 and applies to RADIUS/UDP. It allows a man-in-the-middle attacker to forge a valid Access-Accept response to a client request that has been rejected by the RADIUS server, and gain access to the network resources and devices for which the RADIUS client may authorize users. The Response Authenticator is an MD5 hash of values from the RADIUS client request and server response together with a fixed shared secret (unknown to our attacker) that is shared between the RADIUS client and server. The first byte of an Access-Accept and Access-Reject message differ. The attacker executes a so-called chosen-prefix collision attack on MD5 to change the message type in the first byte and any relevant packet attributes while ensuring that the Access-Reject and forged Access-Accept both produce the same Response Authenticator. Once an MD5 chosen-prefix hash collision has been computed, any fixed value appended to the two messages will continue to produce an MD5 hash collision. In particular, the attacker can compute a collision with known values such that when the client or server append the secret to compute the Response Authenticator, it will still produce the same hash value. Computing an MD5 chosen-prefix hash collision requires predicting the Access-Reject message and appending as few as 80 bytes of collision block gibberish to the Access-Request sent to the server. In our attack, the attacker encapsulates this collision-block gibberish in Proxy-State attributes that are required by the RFC to be returned by the server in its response and are hence also present in the Access-Reject produced by the server. These gibberish values ensure the Response Authenticator computed from the Access-Reject and will be a correct Response Authenticator for the forged Access-Accept. Exploit To exploit this vulnerability, an attacker needs man-in-the-middle network access between the RADIUS client and server, and the client and server must be using RADIUS/UDP to communicate. The attacker also needs to be able to trigger a RADIUS client Access-Request, by for example entering a username and (incorrect) password at a login prompt on a victim device. The simplest case is when the client is using PAP authentication. The attacker observes the Access-Request packet (in particular the random ID and Request Authenticator values included in the request) and predicts the attributes that will be returned in the Access-Reject response that is expected to be returned by the server. The attacker then computes an MD5 chosen-prefix collision online, before the client times out its request. With our computing power, we are currently able to compute such a collision in as little as 5 to 6 minutes; we expect to continue to improve this, and a well-resourced attacker with the ability to implement this attack on FPGAs would certainly be able to improve this time to seconds. Once the attacker has computed the MD5 collision, the attacker inserts the corresponding collision blocks into one or more Proxy-State attributes in the request, and removes any Message-Authenticator attributes from the request. (This is allowed and undetectable when using PAP authentication.) The attacker sends this modified client request to the RADIUS server. The attacker then receives the expected Access-Reject response from the RADIUS server, and copies the Response Authenticator value from the Access-Reject to the colliding Access-Accept packet that it forges. This packet will include some Proxy-State attributes containing the collision block gibberish; we have verified that these attributes are accepted by clients. The attacker then forwards its modified Access-Accept response to the client, which should successfully let the attacker log in. We have attached a file poc.md showing logs and values with a sample colliding request. Impact An attacker gains access to any resource for which RADIUS is used for authentication/authorization. RADIUS/UDP appears to be commonly used within enterprise networks and organizations to provide admin access to routing infrastructure, user logins for VPNs, for Wi-Fi access via WPA-enterprise, and as a lightweight authentication mechanism for a variety of networked devices and hardware. RADIUS is supported by cloud authentication services like Duo and Okta as well. Discovery This vulnerability was discovered by Mike Milano, Sharon Goldberg, Nadia Heninger, Dan Shumow, Marc Stevens, Miro Haller, and Adam Suhl. We discovered it by reading the RFC, examining the behavior of the RADIUS client and server implementations we currently have access to (FreeRadius, Okta, a Cisco ASA 5505), and optimizing Marc Stevens's Hashclash MD5 collision software for our particular case. Has been exploited? no Is public? no Disclosure Plans? yes We plan to submit a paper to the Usenix Security conference. The paper will be confidential except to the program committee. The submission deadline is February 8 and the conference takes place August 14-16. We are fine with coordinating the public disclosure deadline with vendors.

Credit: cret@cert.org cret@cert.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/title
• agent/type
• collector/msrc
• source/Microsoft
• collector/msrc-cve
• agent/software-canonical-lookup
• collector/bleeping-computer
• source/BleepingComputer
• alias/CVE-2024-3596
• collector/oss-sec
• source/oss-sec
• collector/the-register
• source/The Register
• agent/author
• agent/first-publish-date
• collector/nvd-cve
• source/NVD
• collector/mitre-cve
• source/MITRE
• collector/usn-cve
• source/Ubuntu
• agent/remedy
• agent/event
• agent/description
• collector/security-tracker-debian
• source/Debian
• agent/trending
• agent/references
• agent/severity
• agent/weakness
• agent/softwarecombine
• collector/redhat-bugzilla
• source/Red Hat
• agent/last-modified-date
• agent/source
• agent/tags
• collector/nvd-api
• agent/software-canonical-lookup-request
• vendor/microsoft
• canonical/microsoft windows server 2019
• canonical/microsoft windows 10
• version/microsoft windows 10/21h2
• canonical/microsoft windows 11
• version/microsoft windows 11/22h2
• canonical/microsoft windows server 2008 r2
• version/microsoft windows 10/22h2
• canonical/microsoft windows server 2008
• canonical/microsoft windows server 2012 r2
• version/microsoft windows 10/1607
• canonical/microsoft windows server 2012
• version/microsoft windows 11/21h2
• version/microsoft windows 11/23h2
• canonical/microsoft windows server 2022
• version/microsoft windows 10/1809
• canonical/microsoft windows server 2022, 23h2 edition
• canonical/microsoft windows server 2016
• package-manager/debian
• vendor/freeradius
• canonical/freeradius freeradius
• vendor/broadcom
• canonical/brocade sannav ova
• canonical/broadcom fabric operating system
• vendor/sonicwall
• canonical/sonicwall sonicos