In 2024, a critical vulnerability—CVE-2024-3596—came to light, exposing the RADIUS protocol (defined in RFC 2865) to dangerous forgery attacks. This flaw lets an attacker, with local network access, modify a legitimate RADIUS server Response (like Access-Accept, Access-Reject, or Access-Challenge) into any other response type. At the heart of the attack is an MD5 chosen-prefix collision, which undermines the trust in the protocol’s Response Authenticator.

Below, we’ll break down how the vulnerability works, give a working code example, and provide resources for more details. This article is written in plain American English to help security practitioners, system administrators, and curious readers understand this risk.

What is RADIUS?

RADIUS stands for *Remote Authentication Dial-In User Service*. It’s a widely used protocol for handling authentication, authorization, and accounting (AAA), especially in corporate networks for VPNs, Wi-Fi, and network device logins.

When a user logs in, a RADIUS client (like a Wi-Fi access point) sends a request to a RADIUS server. The server responds with one of these types:

Access-Challenge (request more info)

Each response includes a cryptographic field called the Response Authenticator to ensure the reply is valid and unaltered.

What is CVE-2024-3596?

CVE-2024-3596 reveals that the Response Authenticator, which is meant to protect replies, can be forged by exploiting weaknesses in the MD5 hash function. If an attacker can observe—and slightly influence—the content of legitimate RADIUS responses, they can use modern chosen-prefix collision techniques to make two response messages with different meanings produce the same MD5 hash. The response can then be modified in-transit, and the client will have no way to know.

Bottom line: Attackers can trick a RADIUS client (like a Wi-Fi access point) into accepting forged responses, potentially letting unauthorized users in or blocking real users.

Why is this possible?

- MD5 is broken: Cryptographers have demonstrated practical chosen-prefix collisions since 2007 (Stevens et al.).

- RADIUS Response Authenticator uses MD5: The hash is calculated as

ResponseAuthenticator = MD5(Code+ID+Length+RequestAuthenticator+Attributes+secret)

- No randomization or extra salt: If an attacker can fine-tune the input, they can craft two different responses with the same MD5.
- Local network requirement: The exploit requires an attacker to be able to intercept and modify traffic, so attacks are local rather than remote.

---

## How the Exploit Works

1. Intercept a real response: An attacker with local network access (e.g., on the same Wi-Fi) sniffs a legitimate RADIUS response.
2. Construct two responses: Using advanced tools, the attacker creates two different responses (e.g., an Access-Reject and an Access-Accept) that result in the same MD5 hash (the Response Authenticator).
3. Replace the response on the fly: The attacker swaps the real response with their crafted one, and the client believes the response is genuine.

### Example Attack Flow

#### Legitimate Flow

[RADIUS Server] --[Access-Reject]--> [Access Point] --[User Denied]


#### Exploited Flow

[RADIUS Server] --[Access-Reject]--> [Attacker modifies & forges Access-Accept] --> [Access Point] --[User Granted Access]


---

## Example Code Snippet

Below is a python-like pseudocode to show how an attacker would forge two valid RADIUS responses with same MD5 Response Authenticator using the hashclash tool:

### 1. Crafting the Colliding Messages

python
import subprocess

# Install hashclash from https://github.com/cr-marcstevens/hashclash

Prepare two message templates

msg1 = b'\x02\x01\x00\x15' + request_authenticator + reject_attributes
msg2 = b'\x02\x01\x00\x15' + request_authenticator + accept_attributes

Use hashclash to create a chosen-prefix collision

subprocess.run([
'hashclash/collide',

'--output', 'rej-coll.bin', 'acc-coll.bin'

])

These two files now have the same MD5 hash!

rej_coll = open('rej-coll.bin', 'rb').read()
acc_coll = open('acc-coll.bin', 'rb').read()


### 2. Forging and Injecting the Response

python

send_packet(to=packet.dst, data=acc_coll)

`

*(Note: This is hypothetical PoC code. Real attacks require deep protocol understanding, hashclash, and network-injection skills.)*

---

## Mitigations

- Don’t use MD5 for authentication! Prefer protocols that use modern hash and cryptographic verification (e.g., use TLS, RadSec).
- Encrypt and authenticate RADIUS: Upgrade to RadSec, which tunnels RADIUS over TLS.
- Monitor for suspicious responses: Watch for odd RADIUS responses or duplicates on your network.
- Network segmentation: Limit local network access as attackers must be local.

---

## References

- CVE-2024-3596 MITRE Record
- RFC 2865: Remote Authentication Dial In User Service (RADIUS)
- Chosen-Prefix Collisions for MD5 and SHA1
- hashclash MD5 Collision Tool
- RFC 6614: RADIUS over TLS

---

## Conclusion

CVE-2024-3596 is a wake-up call: any security protocol using MD5 in 2024 is at risk. Old cryptography can make entire authentication systems like RADIUS vulnerable. For network admins and architects, moving to modern protocols and cryptography should be a top priority.

---

Stay secure! Track this vulnerability and push your vendors for updates.

Timeline

Published on: 07/09/2024 12:15:20 UTC
Last modified on: 12/30/2024 19:23:20 UTC