A RADIUS Protocol vulnerability was published on July 9, 2024. RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can forge an authentication response in cases where a Message-Authenticator attribute is not required or enforced. This issue arises from a cryptographically insecure integrity check using MD5, enabling attackers to spoof UDP-based RADIUS response packets. This could allow an attacker to undermine the fundamental security mechanisms of RADIUS-based authentication systems.
Item # |
Vulnerability ID |
Score Source |
Score |
Summary |
1 | CVE-2024-3596 | CVSSv3 | 9.0 Critical | RADIUS Protocol: forgery attack [1] |
The table below indicates releases of ACOS exposed to this vulnerability and ACOS releases that address them. ACOS release families not indicated below are unaffected by these vulnerabilities.
Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.
Releases Affected | Releases Resolved or Unaffected |
---|---|
6.0.0 – 6.0.5 | 6.0.6 |
5.2.1 – 5.2.1-P11 | 5.2.1-P12 |
4.1.4 – 4.1.4-GR1-P14 | 4.1.4-GR1-P14-SP1 |
This vulnerability involves malicious or Man-In-The-Middle RADIUS servers for exploitation. Manage and configure ACOS devices for RADIUS authentication operations only with trusted RADIUS servers on trusted communication channels.
For ACOS 6.0.6, 5.2.1-P12 or 4.1.4-GR1-P14-SP1 and newer:
Enable the message authenticator attribute verification using the following config command:
ACOS(config)# radius-server message-authenticator-verify-enable
Software updates that address these vulnerabilities are or will be published at the following URL:
Vulnerability ID | Vulnerability Description |
---|---|
CVE-2024-3596 |
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. |
None
Revision | Date | Description |
---|---|---|
1.0 | March 20, 2025 |
Initial Publication |
© Copyright 2025 A10 Networks, Inc. All Rights Reserved.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.