CVE-2024-3596

Publication date 9 July 2024

Last updated 3 October 2024

Ubuntu priority

Cvss 3 Severity Score

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

Read the notes from the security team

Mitigation

Disable the use of RADIUS/UDP and RADIUS/TCP - instead RADIUS/TLS or RADIUS/DTLS should be used.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
freeradius	24.10 oracular	Not affected
	24.04 LTS noble	Fixed 3.2.5+dfsg-3~ubuntu24.04.1
	23.10 mantic	Ignored end of life, was needed
	22.04 LTS jammy	Fixed 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.3
	20.04 LTS focal	Fixed 3.0.20+dfsg-3ubuntu0.4
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Vulnerable

Notes

alexmurray

RADIUS clients may also be affected

mdeslaur

This vulnerability is known as Blast-RADIUS

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
freeradius	Upstream: https://github.com/FreeRADIUS/freeradius-server/commits/v3.0.x/?since=2024-07-09&until=2024-07-09 Upstream: https://github.com/FreeRADIUS/freeradius-server/commits/v3.2.x/?since=2024-07-09&until=2024-07-09 Upstream: 3a00a6e Upstream: 4da715d Upstream: 69765bb Upstream: 5e1a393 Upstream: bc4f0a7 Upstream: 33ae351 Upstream: 828341a Upstream: ea6bf44 Upstream: 0c101d6 Upstream: 836aeb9 Upstream: 099c416 Upstream: 9455341 Upstream: 43587a6 Upstream: 6451425 Upstream: 2817b85 Upstream: accb06a Upstream: 3f8da13 Upstream: bf190f9 Upstream: 0aada8c Upstream: a26afcf Upstream: 9518f2d Upstream: 55342c7 Upstream: da643f1

Package

Patch details

freeradius

Upstream: https://github.com/FreeRADIUS/freeradius-server/commits/v3.0.x/?since=2024-07-09&until=2024-07-09
Upstream: https://github.com/FreeRADIUS/freeradius-server/commits/v3.2.x/?since=2024-07-09&until=2024-07-09
Upstream: 3a00a6e
Upstream: 4da715d
Upstream: 69765bb
Upstream: 5e1a393
Upstream: bc4f0a7
Upstream: 33ae351
Upstream: 828341a
Upstream: ea6bf44
Upstream: 0c101d6
Upstream: 836aeb9
Upstream: 099c416
Upstream: 9455341
Upstream: 43587a6
Upstream: 6451425
Upstream: 2817b85
Upstream: accb06a
Upstream: 3f8da13
Upstream: bf190f9
Upstream: 0aada8c
Upstream: a26afcf
Upstream: 9518f2d
Upstream: 55342c7
Upstream: da643f1

Severity score breakdown

Parameter	Value
Base score	8.1 · High
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-7055-1
FreeRADIUS vulnerability
3 October 2024

CVE-2024-3596

Cvss 3 Severity Score

Mitigation

Status

Notes

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references