The RADIUS Protocol under RFC 2865 [\[1\]][1] is an industry-standard protocol frequently used to manage authentication, authorization, and accounting (AAA) of remote user access to various network services. The protocol relies on MD5 hashing for its *Response Authenticator* signature, which is designed to provide integrity and authenticity to RADIUS packets.
Recently, the RADIUS Protocol has been assigned as CVE-2024-3596 and was found to be susceptible to forgery attacks [\[2\]][2]. A local attacker capable of intercepting RADIUS communication can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) and transform it into any other desired response. This vulnerability arises from a chosen-prefix collision attack against the MD5 Response Authenticator signature.
This post will provide an in-depth analysis of this vulnerability, including a code snippet to demonstrate how an attacker can exploit it, along with original references and more exploit details.
Digging Deeper: Breaking Down RADIUS
As previously mentioned, RADIUS follows the RFC 2865 specification [\[1\]][1]. The protocol's responses are typically Access-Accept, Access-Reject, or Access-Challenge, and they each contain a Response Authenticator field (further detailed in section 3 of RFC 2865). The field is a 16-byte MD5 checksum of a concatenation of shared secret, the received packet (excluding the authenticator field content), and the received packet's authenticator field.
The code snippet shown below illustrates how the Response Authenticator is generated (in Python)
import hashlib
def generate_response_authenticator(shared_secret, received_packet, request_authenticator):
md5 = hashlib.md5()
md5.update(shared_secret.encode('utf-8'))
md5.update(received_packet.encode('utf-8'))
md5.update(request_authenticator)
response_authenticator = md5.digest()
return response_authenticator
Now, the process of using MD5 to protect the integrity of RADIUS packets is fundamentally flawed. The reason for this vulnerability is twofold: first, MD5 is well-known for its multiple weaknesses [\[3\]][3], and second, the way in which the protocol creates the Response Authenticator renders it susceptible to chosen-prefix collision attacks.
Exploit Details
A chosen-prefix collision attack is when an attacker can generate two different messages with the same MD5 hash, given a fixed known prefix and an arbitrary suffix controlled by the attacker.
To exploit this vulnerability, the attacker has to intercept a valid RADIUS packet containing a Response Authenticator field. Once the packet is intercepted, the attacker can intelligently use MD5 collision generation techniques, such as the one detailed by Marc Stevens, Arjen Lenstra, and Benne de Weger [\[4\]][4], to create another valid-looking packet with the desired type (Access-Accept, Access-Reject, or Access-Challenge). This manipulated packet will still have the original packet's Response Authenticator, enabling the attacker to bypass the protocol's integrity and authenticity checks.
Conclusion
The CVE-2024-3596 vulnerability in the RADIUS Protocol demonstrates the shortcomings of using MD5 as a cryptographic primitive for ensuring integrity and authenticity. To mitigate this security threat, network administrators should consider upgrading to more robust security protocols, like EAP over RADIUS [\[5\]][5], which offers stronger cryptographic algorithms and helps avoid such forgery attacks.
It is important to constantly evaluate the security strength of widely-used protocols and update them accordingly to provide a safe networking environment.
References
[1]: https://tools.ietf.org/html/rfc2865
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3596
[3]: https://en.wikipedia.org/wiki/MD5#Security
[4]: https://eprint.iacr.org/2006/104
[5]: https://tools.ietf.org/html/rfc3748
\[1\]: RFC 2865: Remote Authentication Dial In User Service (RADIUS)
\[2\]: CVE-2024-3596: RADIUS forgery attacks
\[3\]: Wikipedia: MD5 Security
\[4\]: Stevens, Lenstra, De Weger. (2006) Fast Collision Attack on MD5
\[5\]: RFC 3748: Extensible Authentication Protocol (EAP)
Timeline
Published on: 07/09/2024 12:15:20 UTC
Last modified on: 07/23/2024 09:15:02 UTC