{ "threat_severity" : "Important", "public_date" : "2024-07-09T00:00:00Z", "bugzilla" : { "description" : "freeradius: forgery attack", "id" : "2263240", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2263240" }, "cvss3" : { "cvss3_base_score" : "9.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-294->CWE-836->CWE-924", "details" : [ "RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.", "A vulnerability in the RADIUS (Remote Authentication Dial-In User Service) protocol allows attackers to forge authentication responses when the Message-Authenticator attribute is not enforced. This issue arises from a cryptographically insecure integrity check using MD5, enabling attackers to spoof UDP-based RADIUS response packets. This can result in unauthorized access by modifying an Access-Reject response to an Access-Accept response, thereby compromising the authentication process." ], "statement" : "This vulnerability is of Important severity due to its ability to undermine the fundamental security mechanisms of RADIUS-based authentication systems. By exploiting the weak MD5 integrity check, an attacker can forge RADIUS responses, effectively bypassing authentication controls and gaining unauthorized access to network resources. This poses a significant threat to environments relying on RADIUS for user and device authentication, particularly those lacking enforced Message-Authenticator attributes or TLS/DTLS encryption.\nThere are several preconditions for this attack to be possible:\n* An attacker needs man-in-the-middle network access between the RADIUS client and server\n* The client and server must be using RADIUS/UDP to communicate\n* The attacker needs to be able to trigger a RADIUS client Access-Request ( for example the client is using PAP authentication)\nDue to these attack surface limitations, the impact is rated Important.\nWithin Red Hat offerings, this impacts the FreeRADIUS package. This flaw allows a local, unauthenticated attacker to conduct a man-in-the-middle attack to log in as a third party without knowing their credentials. Servers using Extensible Authentication Protocol (EAP) with required Message-Authenticator attributes or those employing TLS/DTLS encryption are not affected.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2024-07-30T00:00:00Z", "advisory" : "RHSA-2024:4911", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "freeradius-0:3.0.20-1.el7_9.1" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8788", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "krb5-0:1.15.1-55.el7_9.3" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-07-31T00:00:00Z", "advisory" : "RHSA-2024:4936", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "freeradius:3.0-8100020230904084920.69ef70f8" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8860", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "krb5-0:1.18.2-30.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2024-07-30T00:00:00Z", "advisory" : "RHSA-2024:4913", "cpe" : "cpe:/a:redhat:rhel_aus:8.2", "package" : "freeradius:3.0-8020020240726095340.ce27ea5e" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8789", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "krb5-0:1.17-19.el8_2.2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2024-07-25T00:00:00Z", "advisory" : "RHSA-2024:4874", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "freeradius:3.0-8040020240719063921.9ab73fbf" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8791", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "krb5-0:1.18.2-9.el8_4.2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date" : "2024-07-25T00:00:00Z", "advisory" : "RHSA-2024:4874", "cpe" : "cpe:/a:redhat:rhel_tus:8.4", "package" : "freeradius:3.0-8040020240719063921.9ab73fbf" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8791", "cpe" : "cpe:/o:redhat:rhel_tus:8.4", "package" : "krb5-0:1.18.2-9.el8_4.2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date" : "2024-07-25T00:00:00Z", "advisory" : "RHSA-2024:4874", "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", "package" : "freeradius:3.0-8040020240719063921.9ab73fbf" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8791", "cpe" : "cpe:/o:redhat:rhel_e4s:8.4", "package" : "krb5-0:1.18.2-9.el8_4.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2024-07-24T00:00:00Z", "advisory" : "RHSA-2024:4826", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "freeradius:3.0-8060020240719034751.830b6f11" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8794", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "krb5-0:1.18.2-16.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2024-07-24T00:00:00Z", "advisory" : "RHSA-2024:4826", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "freeradius:3.0-8060020240719034751.830b6f11" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8794", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "krb5-0:1.18.2-16.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2024-07-24T00:00:00Z", "advisory" : "RHSA-2024:4826", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "freeradius:3.0-8060020240719034751.830b6f11" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8794", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "krb5-0:1.18.2-16.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-07-24T00:00:00Z", "advisory" : "RHSA-2024:4829", "cpe" : "cpe:/a:redhat:rhel_eus:8.8", "package" : "freeradius:3.0-8080020240719112231.b012cf7d" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8792", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "krb5-0:1.18.2-26.el8_8.3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-07-31T00:00:00Z", "advisory" : "RHSA-2024:4935", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "freeradius-0:3.0.21-40.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9474", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "krb5-0:1.21.1-4.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9474", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "krb5-0:1.21.1-4.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2024-07-30T00:00:00Z", "advisory" : "RHSA-2024:4912", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "freeradius-0:3.0.21-26.el9_0.1" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2024-10-29T00:00:00Z", "advisory" : "RHSA-2024:8577", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "krb5-0:1.19.1-16.el9_0.2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-07-24T00:00:00Z", "advisory" : "RHSA-2024:4828", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "freeradius-0:3.0.21-38.el9_2.2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-10-24T00:00:00Z", "advisory" : "RHSA-2024:8461", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "krb5-0:1.20.1-9.el9_2.2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2024-11-13T00:00:00Z", "advisory" : "RHSA-2024:9547", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "krb5-0:1.21.1-2.el9_4.1" }, { "product_name" : "Red Hat OpenShift AI 2.16", "release_date" : "2024-12-05T00:00:00Z", "advisory" : "RHSA-2024:10852", "cpe" : "cpe:/a:redhat:openshift_ai:2.16::el8", "package" : "rhoai/odh-kf-notebook-controller-rhel8:sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "freeradius", "cpe" : "cpe:/o:redhat:enterprise_linux:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-3596\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3596\nhttps://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/\nhttps://datatracker.ietf.org/doc/html/rfc2865\nhttps://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf\nhttps://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt\nhttps://www.blastradius.fail/\nhttps://www.kb.cert.org/vuls/id/456537" ], "name" : "CVE-2024-3596", "mitigation" : { "value" : "Disable the use of RADIUS/UDP and RADIUS/TCP.\nRADIUS/TLS or RADIUS/DTLS should be used.", "lang" : "en:us" }, "csaw" : false }