CVE-2024-3596 RADIUS Protocol Spoofing Vulnerability Remote Authentication Dial-In User Service

It is essential to know about a security risk, CVE-2024-3596, in the Remote Authentication Dial-In User Service RADIUS protocol related to MD5 hashing. MD5 is a cryptographic hash function algorithm that converts input data of any length into a fixed 128-bit (16-byte) hash value.

MD5 is a hashing method used to secure data. However, different pieces of data can produce the same hash value, known as a collision. This issue is especially concerning for RADIUS traffic sent over the Internet using UDP or User Datagram Protocol.

UDP is one of the core protocols of the Internet Protocol (IP) suite. It does not check if data is altered, so if an attacker exploits the MD5 collision problem, they can change the data packets. This can lead to unauthorized access or other security issues.

To take advantage of this security risk, an attacker must be on the same network as the RADIUS server and have access to it. However, if the RADIUS traffic is sent through a VPN (Virtual Private Network), the VPN secures the data and prevents tampering, so this risk does not apply.

Patch My PC

What is the Security Risk Related to the RADIUS Protocol?

Security-Risks-in-Remote-Authentication-Dial-In-User-Service-RADIUS-Protocol-1

The security risk involves MD5 collision issues that affect RADIUS traffic sent over the internet using the User Datagram Protocol (UDP).

Does this Security Risk Affect all RADIUS Environments?

Security-Risks-in-Remote-Authentication-Dial-In-User-Service-RADIUS-Protocol-1

No, This risk requires physical access to the RADIUS network and the Network Policy Server (NPS).

New RADIUS Standard and Potential NPS Connection Failures with July 2024 Windows Updates

Starting July 9, 2024, Windows updates support a new security feature called the Message-Authenticator attribute in RADIUS Access-Request packets. This is required by new RADIUS standards. While this update improves security, it might cause connection issues with the Network Policy Server (NPS) if your firewall or RADIUS system doesn’t support this feature.

  • The update doesn’t cause these issues directly; they happen only if your current setup is incompatible.
Security Risks in CVE-2024-3596 Remote Authentication Dial-In User Service RADIUS Protocol - Fig.1 - Creds to MS
Security Risks in CVE-2024-3596 Remote Authentication Dial-In User Service RADIUS Protocol – Fig.1 – Creds to MS

Workaround or Actions to Secure Your RADIUS Environment

KB5040268 provides detailed guidance on managing the vulnerability associated with CVE-2024-3596. It involves an attack on Access-Request packets in the RADIUS protocol. This vulnerability, related to MD5 collisions, poses a risk where data packets can be altered during transit.

Implementing specific configurations and workarounds is essential to secure your RADIUS environment. The table below provides more details.

Secure Your RADIUS EnvironmentWorkaround or Actions
Enable Message-Authenticator for RequestsIt is important to ensure that all Access-Request packets include the Message-Authenticator attribute. This feature is turned off by default, so make sure to activate it.
Verify Message-Authenticator in RequestsYou should confirm that Access-Request packets contain the Message-Authenticator attribute. It is advisable to enforce this requirement for all packets. By default, this setting is off, so you should enable it.
Check Message-Authenticator with Proxy-StateIf you use the Proxy-State attribute, consider enabling the limitProxyState option. This will drop packets with the Proxy-State attribute if they do not also include the Message-Authenticator attribute. This option is off by default, so it’s recommended to turn it on if you cannot validate every packet.
Verify Message-Authenticator in ResponsesYou must ensure that RADIUS response packets (Access-Accept, Access-Reject, and Access-Challenge) include the Message-Authenticator attribute. Enable the requireMsgAuth option to discard response packets from remote servers that lack this attribute. This setting is off by default, so turn it on to enhance security.
Security Risks in CVE-2024-3596 Remote Authentication Dial-In User Service RADIUS Protocol – Table 1

CVE-2024-3596 RADIUS Protocol Spoofing Vulnerability

CVE-2024-3596 is a security vulnerability in the RADIUS protocol identified by CERT/CC. This vulnerability is classified as important due to its potential impact on spoofing. The table below provides more details.

CVE DetailsData
CVE TitleCERT/CC: CVE-2024-3596 RADIUS Protocol Spoofing Vulnerability
CVE IDCVE-2024-3596
Release DateJuly 9, 2024
Assigning CNACERT/CC
ImpactSpoofing
Max SeverityImportant
WeaknessCWE-327: Use of a Broken or Risky Cryptographic Algorithm
CVSS SourceMicrosoft
CVSS Score7.5 / 6.5
Security Risks in CVE-2024-3596 Remote Authentication Dial-In User Service RADIUS Protocol – Table 2
Security Risks in Remote Authentication Dial-In User Service RADIUS Protocol - Fig.2 - Creds to MS
Security Risks in CVE-2024-3596 Remote Authentication Dial-In User Service RADIUS Protocol – Fig.2 – Creds to MS

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.