RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
Weakness
The product does not validate or incorrectly validates the integrity check values or “checksums” of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freeradius | Freeradius | * | 3.0.27 (excluding) |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | freeradius-0:3.0.20-1.el7_9.1 | * |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | krb5-0:1.15.1-55.el7_9.3 | * |
| Red Hat Enterprise Linux 8 | RedHat | freeradius:3.0-8100020230904084920.69ef70f8 | * |
| Red Hat Enterprise Linux 8 | RedHat | krb5-0:1.18.2-30.el8_10 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | freeradius:3.0-8020020240726095340.ce27ea5e | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | krb5-0:1.17-19.el8_2.2 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | freeradius:3.0-8040020240719063921.9ab73fbf | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | krb5-0:1.18.2-9.el8_4.2 | * |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | freeradius:3.0-8040020240719063921.9ab73fbf | * |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | krb5-0:1.18.2-9.el8_4.2 | * |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | freeradius:3.0-8040020240719063921.9ab73fbf | * |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | krb5-0:1.18.2-9.el8_4.2 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | freeradius:3.0-8060020240719034751.830b6f11 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | krb5-0:1.18.2-16.el8_6.2 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | freeradius:3.0-8060020240719034751.830b6f11 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | krb5-0:1.18.2-16.el8_6.2 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | freeradius:3.0-8060020240719034751.830b6f11 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | krb5-0:1.18.2-16.el8_6.2 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | freeradius:3.0-8080020240719112231.b012cf7d | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | krb5-0:1.18.2-26.el8_8.3 | * |
| Red Hat Enterprise Linux 9 | RedHat | freeradius-0:3.0.21-40.el9_4 | * |
| Red Hat Enterprise Linux 9 | RedHat | krb5-0:1.21.1-4.el9_5 | * |
| Red Hat Enterprise Linux 9 | RedHat | krb5-0:1.21.1-4.el9_5 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | freeradius-0:3.0.21-26.el9_0.1 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | krb5-0:1.19.1-16.el9_0.2 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | freeradius-0:3.0.21-38.el9_2.2 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | krb5-0:1.20.1-9.el9_2.2 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | krb5-0:1.21.1-2.el9_4.1 | * |
| Red Hat OpenShift AI 2.16 | RedHat | rhoai/odh-kf-notebook-controller-rhel8:sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1 | * |
| Freeradius | Ubuntu | esm-infra/bionic | * |
| Freeradius | Ubuntu | esm-infra/focal | * |
| Freeradius | Ubuntu | esm-infra/xenial | * |
| Freeradius | Ubuntu | focal | * |
| Freeradius | Ubuntu | jammy | * |
| Freeradius | Ubuntu | mantic | * |
| Freeradius | Ubuntu | noble | * |
| Freeradius | Ubuntu | upstream | * |
| Krb5 | Ubuntu | devel | * |
| Krb5 | Ubuntu | esm-infra-legacy/trusty | * |
| Krb5 | Ubuntu | esm-infra/bionic | * |
| Krb5 | Ubuntu | esm-infra/focal | * |
| Krb5 | Ubuntu | esm-infra/xenial | * |
| Krb5 | Ubuntu | focal | * |
| Krb5 | Ubuntu | jammy | * |
| Krb5 | Ubuntu | noble | * |
| Krb5 | Ubuntu | oracular | * |
| Krb5 | Ubuntu | plucky | * |
| Krb5 | Ubuntu | questing | * |
| Krb5 | Ubuntu | trusty/esm | * |
| Libpam-radius-auth | Ubuntu | focal | * |
| Libpam-radius-auth | Ubuntu | oracular | * |
| Libpam-radius-auth | Ubuntu | trusty/esm | * |
| Libpam-radius-auth | Ubuntu | upstream | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/145.html
- https://cwe.mitre.org/data/definitions/463.html
- https://cwe.mitre.org/data/definitions/75.html
References
- http://www.openwall.com/lists/oss-security/2024/07/09/4
- https://cert-portal.siemens.com/productcert/html/ssa-723487.html
- https://cert-portal.siemens.com/productcert/html/ssa-794185.html
- https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/
- https://datatracker.ietf.org/doc/html/rfc2865
- https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014
- https://www.blastradius.fail/
- http://www.openwall.com/lists/oss-security/2024/07/09/4
- https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/
- https://datatracker.ietf.org/doc/html/rfc2865
- https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014
- https://security.netapp.com/advisory/ntap-20240822-0001/
- https://today.ucsd.edu/story/computer-scientists-discover-vulnerabilities-in-a-popular-security-protocol
- https://www.blastradius.fail/
- https://www.kb.cert.org/vuls/id/456537