CVE-2024-3596 – CVE-2024-3596 allows a local attacker to forge ... (How to Fix)

Q: What is the severity of CVE-2024-3596?

CVE-2024-3596 has a CVSS score of 9.0 (CRITICAL). CVE-2024-3596 allows a local attacker to forge RADIUS protocol responses by exploiting MD5 collisions, enabling them to modify authentication outcomes. This affects any system using RADIUS under RFC 2865 with MD5 Response Authenticator. Network administrators and organizations using RADIUS for authentication are impacted.

📋 TL;DR

CVE-2024-3596 allows a local attacker to forge RADIUS protocol responses by exploiting MD5 collisions, enabling them to modify authentication outcomes. This affects any system using RADIUS under RFC 2865 with MD5 Response Authenticator. Network administrators and organizations using RADIUS for authentication are impacted.

💻 Affected Systems

Products:

Any RADIUS server/client implementing RFC 2865 with MD5 Response Authenticator

Versions: All versions using vulnerable RADIUS implementation

Operating Systems: All operating systems running vulnerable RADIUS software

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default RADIUS configurations using MD5 for Response Authenticator. Systems using RADIUS over TLS (RadSec) or other cryptographic protections may be less vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized network access, privilege escalation, or denial of service by manipulating Access-Accept, Access-Reject, or Access-Challenge responses.

🟠

Likely Case

Local attackers on the network can forge RADIUS responses to gain unauthorized access to protected resources or disrupt legitimate authentication flows.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to isolated network segments, but authentication integrity remains compromised.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local network access to intercept/modify RADIUS traffic. MD5 collision attacks are well-documented and tools exist, making exploitation feasible for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by vendor - check specific RADIUS implementation

Vendor Advisory: http://www.openwall.com/lists/oss-security/2024/07/09/4

Restart Required: Yes

Instructions:

1. Check vendor advisories for your RADIUS implementation. 2. Apply patches that implement stronger cryptographic algorithms. 3. Restart RADIUS services. 4. Consider migrating to RADIUS/TLS or alternative authentication protocols.

🔧 Temporary Workarounds

Enable RADIUS over TLS (RadSec)

all

Encrypts RADIUS traffic to prevent interception and modification

# Configure RADIUS server to use TLS
# Example for FreeRADIUS: Enable RadSec in radiusd.conf

Implement network segmentation

linux

Isolate RADIUS traffic to trusted networks only

# Use firewall rules to restrict RADIUS traffic
# Example: iptables -A INPUT -p udp --dport 1812 -s trusted_network -j ACCEPT

🧯 If You Can't Patch

Segment RADIUS traffic to isolated VLANs with strict access controls
Implement additional authentication factors beyond RADIUS alone

🔍 How to Verify

Check if Vulnerable:

Check if RADIUS implementation uses MD5 for Response Authenticator per RFC 2865. Review configuration files for authentication method settings.

Check Version:

# Check RADIUS server version
radiusd -v
# Or check package version
rpm -q freeradius

Verify Fix Applied:

Verify RADIUS implementation no longer uses MD5 Response Authenticator and has been updated to use stronger cryptographic algorithms.

📡 Detection & Monitoring

Log Indicators:

Unexpected authentication successes/failures
RADIUS response modifications
MD5-related warnings in logs

Network Indicators:

Unusual RADIUS traffic patterns
RADIUS packets with modified authenticators
Traffic from unexpected sources to RADIUS ports

SIEM Query:

source="radius.log" AND (event_type="authentication" AND result="success" FROM untrusted_ip) OR (message="MD5" AND "warning")

📊 Metadata

CVE ID: CVE-2024-3596

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-354

Published: July 9, 2024

Last Updated: November 4, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/07/09/4 Mailing List
https://cert-portal.siemens.com/productcert/html/ssa-723487.html
https://cert-portal.siemens.com/productcert/html/ssa-794185.html
https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/ Technical Description
https://datatracker.ietf.org/doc/html/rfc2865 Technical Description
https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014 Third Party Advisory
https://www.blastradius.fail/ Technical Description
http://www.openwall.com/lists/oss-security/2024/07/09/4 Mailing List
https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/ Technical Description
https://datatracker.ietf.org/doc/html/rfc2865 Technical Description
https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014 Third Party Advisory
https://security.netapp.com/advisory/ntap-20240822-0001/ Third Party Advisory
https://today.ucsd.edu/story/computer-scientists-discover-vulnerabilities-in-a-popular-security-protocol Third Party Advisory
https://www.blastradius.fail/ Technical Description
https://www.kb.cert.org/vuls/id/456537

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3596, you might also want to check these: