Authentication Bypass by Spoofing Affecting freeradius/freeradius-server package, versions [,3.0.27)[3.2.0,3.2.5)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-FREERADIUSFREERADIUSSERVER-7443582
- published11 Jul 2024
- disclosed9 Jul 2024
- creditMike Milano, Sharon Goldberg, Nadia Heninger, Dan Shumow, Marc Stevens, Miro Haller, Adam Suhl
Introduced: 9 Jul 2024
CVE-2024-3596 (opens in a new tab)How to fix?
Upgrade freeradius/freeradius-server to version 3.0.27, 3.2.5 or higher.
Overview
Affected versions of this package are vulnerable to Authentication Bypass by Spoofing due to a cryptographically insecure integrity check using MD5, when the Message-Authenticator attribute is not in use. (It is not enforced by default for non-EAP requests.) An attacker can gain unauthorized access by modifying any response to any other response, including an Access-Reject response to an Access-Accept response, using a chosen prefix attack against the hash value.
Notes:
While the attacker needs access to the network to which the RADIUS server is connected, the attack can be carried out against any server in the chain of proxies.
Exploitation of this vulnerability can be avoided by encrypting traffic from the RADIUS server with TLS or by requiring the
Message-Authenticatorattribute.Servers using EAP are not vulnerable to the attack demonstrated, as the
Message-Authenticatorattribute is enforced. However, the RADIUS packets themselves are still transmitted over UDP without TLS, so a variant of the same attack may be possible.