Issue Overview:
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. (CVE-2024-3596)
Affected Packages:
freeradius
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update freeradius to update your system.
New Packages:
aarch64:
freeradius-3.0.27-1.amzn2.0.1.aarch64
freeradius-doc-3.0.27-1.amzn2.0.1.aarch64
freeradius-utils-3.0.27-1.amzn2.0.1.aarch64
freeradius-devel-3.0.27-1.amzn2.0.1.aarch64
freeradius-ldap-3.0.27-1.amzn2.0.1.aarch64
freeradius-krb5-3.0.27-1.amzn2.0.1.aarch64
freeradius-perl-3.0.27-1.amzn2.0.1.aarch64
freeradius-python-3.0.27-1.amzn2.0.1.aarch64
freeradius-mysql-3.0.27-1.amzn2.0.1.aarch64
freeradius-postgresql-3.0.27-1.amzn2.0.1.aarch64
freeradius-sqlite-3.0.27-1.amzn2.0.1.aarch64
freeradius-unixODBC-3.0.27-1.amzn2.0.1.aarch64
freeradius-debuginfo-3.0.27-1.amzn2.0.1.aarch64
i686:
freeradius-3.0.27-1.amzn2.0.1.i686
freeradius-doc-3.0.27-1.amzn2.0.1.i686
freeradius-utils-3.0.27-1.amzn2.0.1.i686
freeradius-devel-3.0.27-1.amzn2.0.1.i686
freeradius-ldap-3.0.27-1.amzn2.0.1.i686
freeradius-krb5-3.0.27-1.amzn2.0.1.i686
freeradius-perl-3.0.27-1.amzn2.0.1.i686
freeradius-python-3.0.27-1.amzn2.0.1.i686
freeradius-mysql-3.0.27-1.amzn2.0.1.i686
freeradius-postgresql-3.0.27-1.amzn2.0.1.i686
freeradius-sqlite-3.0.27-1.amzn2.0.1.i686
freeradius-unixODBC-3.0.27-1.amzn2.0.1.i686
freeradius-debuginfo-3.0.27-1.amzn2.0.1.i686
src:
freeradius-3.0.27-1.amzn2.0.1.src
x86_64:
freeradius-3.0.27-1.amzn2.0.1.x86_64
freeradius-doc-3.0.27-1.amzn2.0.1.x86_64
freeradius-utils-3.0.27-1.amzn2.0.1.x86_64
freeradius-devel-3.0.27-1.amzn2.0.1.x86_64
freeradius-ldap-3.0.27-1.amzn2.0.1.x86_64
freeradius-krb5-3.0.27-1.amzn2.0.1.x86_64
freeradius-perl-3.0.27-1.amzn2.0.1.x86_64
freeradius-python-3.0.27-1.amzn2.0.1.x86_64
freeradius-mysql-3.0.27-1.amzn2.0.1.x86_64
freeradius-postgresql-3.0.27-1.amzn2.0.1.x86_64
freeradius-sqlite-3.0.27-1.amzn2.0.1.x86_64
freeradius-unixODBC-3.0.27-1.amzn2.0.1.x86_64
freeradius-debuginfo-3.0.27-1.amzn2.0.1.x86_64
Red Hat: CVE-2024-3596
Mitre: CVE-2024-3596