CVE-2023-39930
📋 TL;DR
This vulnerability allows attackers to bypass first-factor authentication in PingFederate with PingID Radius PCV by sending maliciously crafted RADIUS client requests using MSCHAP authentication. Organizations using affected PingFederate configurations with PingID Radius PCV are vulnerable to unauthorized access.
💻 Affected Systems
- PingFederate with PingID Radius PCV
📦 What is this software?
Pingid Radius Pcv by Pingidentity
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to protected systems and data by bypassing authentication entirely, potentially leading to data breaches, privilege escalation, and lateral movement.
Likely Case
Unauthorized access to applications and services protected by PingFederate with PingID Radius PCV, allowing attackers to impersonate legitimate users.
If Mitigated
Limited impact with proper network segmentation, monitoring, and compensating controls, though authentication bypass remains possible.
🎯 Exploit Status
Exploitation requires network access to the RADIUS service and knowledge of crafting malicious RADIUS requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PingID Integration Kit 2.26 or later
Vendor Advisory: https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_26_rn
Restart Required: Yes
Instructions:
1. Download PingID Integration Kit 2.26 or later from Ping Identity. 2. Follow the upgrade instructions in the release notes. 3. Restart affected PingFederate services.
🔧 Temporary Workarounds
Disable MSCHAP authentication
allTemporarily disable MSCHAP authentication in PingID Radius PCV configuration until patching is complete.
Configuration changes via PingFederate admin console
Restrict RADIUS client access
allImplement network ACLs to restrict which clients can communicate with the RADIUS service.
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="1812" accept'
netsh advfirewall firewall add rule name="Restrict RADIUS" dir=in action=allow protocol=TCP localport=1812 remoteip=TRUSTED_IP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RADIUS services from untrusted networks
- Enable detailed logging and monitoring for RADIUS authentication attempts and implement alerting for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check PingID Integration Kit version in PingFederate admin console or configuration files. If version is below 2.26 and using PingID Radius PCV with MSCHAP, system is vulnerable.Check Version:
Check PingFederate admin console or configuration files for PingID Integration Kit versionVerify Fix Applied:
Verify PingID Integration Kit version is 2.26 or higher and test authentication with legitimate RADIUS clients.📡 Detection & Monitoring
Log Indicators:
- Unusual RADIUS authentication patterns
- Failed MSCHAP authentication attempts from unexpected sources
- Successful authentications without proper credentials
Network Indicators:
- RADIUS traffic from unauthorized IP addresses
- Unusual volume of RADIUS authentication requests
SIEM Query:
source="radius" AND (event_type="authentication" AND result="success") AND src_ip NOT IN [trusted_ips]