Lucene search

K
amazonAmazonALAS-2024-2611
HistoryAug 01, 2024 - 3:01 a.m.

Important: freeradius

2024-08-0103:01:00
alas.aws.amazon.com
3
radius protocol
forgery vulnerability
freeradius
md5 response authenticator
security advisory
cve-2024-3596
amazon linux 2

AI Score

9.4

Confidence

High

Issue Overview:

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. (CVE-2024-3596)

Affected Packages:

freeradius

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update freeradius to update your system.

New Packages:

aarch64:  
    freeradius-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-doc-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-utils-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-devel-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-ldap-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-krb5-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-perl-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-python-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-mysql-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-postgresql-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-sqlite-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-unixODBC-3.0.27-1.amzn2.0.1.aarch64  
    freeradius-debuginfo-3.0.27-1.amzn2.0.1.aarch64  
  
i686:  
    freeradius-3.0.27-1.amzn2.0.1.i686  
    freeradius-doc-3.0.27-1.amzn2.0.1.i686  
    freeradius-utils-3.0.27-1.amzn2.0.1.i686  
    freeradius-devel-3.0.27-1.amzn2.0.1.i686  
    freeradius-ldap-3.0.27-1.amzn2.0.1.i686  
    freeradius-krb5-3.0.27-1.amzn2.0.1.i686  
    freeradius-perl-3.0.27-1.amzn2.0.1.i686  
    freeradius-python-3.0.27-1.amzn2.0.1.i686  
    freeradius-mysql-3.0.27-1.amzn2.0.1.i686  
    freeradius-postgresql-3.0.27-1.amzn2.0.1.i686  
    freeradius-sqlite-3.0.27-1.amzn2.0.1.i686  
    freeradius-unixODBC-3.0.27-1.amzn2.0.1.i686  
    freeradius-debuginfo-3.0.27-1.amzn2.0.1.i686  
  
src:  
    freeradius-3.0.27-1.amzn2.0.1.src  
  
x86_64:  
    freeradius-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-doc-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-utils-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-devel-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-ldap-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-krb5-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-perl-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-python-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-mysql-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-postgresql-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-sqlite-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-unixODBC-3.0.27-1.amzn2.0.1.x86_64  
    freeradius-debuginfo-3.0.27-1.amzn2.0.1.x86_64  

Additional References

Red Hat: CVE-2024-3596

Mitre: CVE-2024-3596