cnvd - cnvd-2024-33450

CNVD-2024-33450

Vulnerability from cnvd - Published: 2024-07-23

Title

RADIUS Protocol under RFC 2865存在未明漏洞

Description

RADIUS Protocol under RFC 2865是RFC开源的一个网络协议。 RADIUS Protocol under RFC 2865存在安全漏洞，攻击者利用该漏洞使用针对MD5响应验证器签名的选择前缀冲突攻击，将任何有效的响应(Access-Accept, Access-Reject或Access-Challenge)修改为任何其他响应。

Severity

高

Formal description

厂商尚未提供漏洞修补方案，请关注厂商主页及时更新： https://datatracker.ietf.org/doc/html/rfc2865

Reference

http://www.openwall.com/lists/oss-security/2024/07/09/4

Impacted products

Name
IETF RFC 2865

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-3596"
    }
  },
  "description": "RADIUS Protocol under RFC 2865\u662fRFC\u5f00\u6e90\u7684\u4e00\u4e2a\u7f51\u7edc\u534f\u8bae\u3002\n\nRADIUS Protocol under RFC 2865\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u9488\u5bf9MD5\u54cd\u5e94\u9a8c\u8bc1\u5668\u7b7e\u540d\u7684\u9009\u62e9\u524d\u7f00\u51b2\u7a81\u653b\u51fb\uff0c\u5c06\u4efb\u4f55\u6709\u6548\u7684\u54cd\u5e94(Access-Accept, Access-Reject\u6216Access-Challenge)\u4fee\u6539\u4e3a\u4efb\u4f55\u5176\u4ed6\u54cd\u5e94\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u8865\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://datatracker.ietf.org/doc/html/rfc2865",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-33450",
  "openTime": "2024-07-23",
  "products": {
    "product": "IETF RFC 2865"
  },
  "referenceLink": "http://www.openwall.com/lists/oss-security/2024/07/09/4",
  "serverity": "\u9ad8",
  "submitTime": "2024-07-23",
  "title": "RADIUS Protocol under RFC 2865\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2024-3596 (GCVE-0-2024-3596)

Vulnerability from cvelistv5 – Published: 2024-07-09 12:02 – Updated: 2025-11-04 17:20

Summary

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

Severity ?

9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

Assigner

certcc

References

URL

Tags

	https://datatracker.ietf.org/doc/html/rfc2865
	https://datatracker.ietf.org/doc/draft-ietf-radex…
	https://networkradius.com/assets/pdf/radius_and_m…
	https://www.blastradius.fail/
	http://www.openwall.com/lists/oss-security/2024/07/09/4
	https://psirt.global.sonicwall.com/vuln-detail/SN…
	https://cert-portal.siemens.com/productcert/html/…	vendor-advisory
	https://cert-portal.siemens.com/productcert/html/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	IETF	RFC	Affected: 2865

Credits

Thanks to Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl who researched and reported this vulnerability

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ietf:rfc:2865:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "rfc",
            "vendor": "ietf",
            "versions": [
              {
                "status": "affected",
                "version": "2865"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-3596",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-11T03:55:37.141738Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-04T21:05:25.373Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T17:20:52.225Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20240822-0001/"
          },
          {
            "url": "https://today.ucsd.edu/story/computer-scientists-discover-vulnerabilities-in-a-popular-security-protocol"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://datatracker.ietf.org/doc/html/rfc2865"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.blastradius.fail/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/07/09/4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014"
          },
          {
            "url": "https://www.kb.cert.org/vuls/id/456537"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "RFC",
          "vendor": "IETF",
          "versions": [
            {
              "status": "affected",
              "version": "2865"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks to Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl who researched and reported this vulnerability"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-328: Use of Weak Hash",
              "lang": "en"
            }
          ]
        },
        {
          "descriptions": [
            {
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en"
            }
          ]
        },
        {
          "descriptions": [
            {
              "description": "CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T17:29:16.788Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc2865"
        },
        {
          "url": "https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/"
        },
        {
          "url": "https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf"
        },
        {
          "url": "https://www.blastradius.fail/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/07/09/4"
        },
        {
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014"
        },
        {
          "name": "Siemens Security Advisory by Siemens ProductCERT for  SIPROTEC, SICAM and related product",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-794185.html"
        },
        {
          "name": "Siemens Security Advisory by Siemens ProductCERT to SCALANCE, RUGGEDCOM and related products.",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-723487.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.",
      "x_generator": {
        "engine": "VINCE 3.0.4",
        "env": "prod",
        "origin": "https://cveawg.mitre.org/api/cve/CVE-2024-3596"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2024-3596",
    "datePublished": "2024-07-09T12:02:53.001Z",
    "dateReserved": "2024-04-10T15:09:45.391Z",
    "dateUpdated": "2025-11-04T17:20:52.225Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-33450

CVE-2024-3596 (GCVE-0-2024-3596)

Tags

Sightings

Nomenclature