CERTVU:456537RADIUS protocol susceptible to forgery attacks.
Overview
A vulnerability in the RADIUS protocol allows an attacker allows an attacker to forge an authentication response in cases where a Message-Authenticator attribute is not required or enforced. This vulnerability results from a cryptographically insecure integrity check when validating authentication responses from a RADIUS server.
Description
RADIUS is a popular lightweight authentication protocol used for networking devices specified in IETF 2058 as early as 1997 (obsoleted by RFC 2138 and then RFC 2865. There have been several other IETF standards (RADIUS/TCP, RADIUS/TLS and RADIUS/DTLS) that cover and enhance various parts of the specification for the use of RADIUS in authentication. RADIUS is widely used to authenticate both users and devices and widely supported by networking devices, from basic network switches to more complex VPN solutions. Recently, RADIUS has also been adopted in much of the cloud services that provide tiered, role-based access-control to resources. As a client-server protocol, RADIUS uses a Request-Response model to verify authentication requests and further provide any role-based access using Groups. RADIUS can also be proxied to support multi-tenant roaming access services.
A vulnerability in the verification of RADIUS Response from a RADIUS server has been disclosed by a team of researchers from UC San Diego and their partners. An attacker, with access to the network where the RADIUS protocol is being transmitted, can spoof a UDP-based RADIUS Response packet to modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response, with almost any content, completely under the attackers control. This allows the attacker to transform a Reject into an Accept without knowledge of the shared secret between the RADIUS client and server. The attack is possible due to a basic flaw in the RADIUS protocol specification that uses a MD5 hash to verify the response, along with the fact that part of the hashed text is predictable allowing for a chosen-prefix collision. The attack, demonstrated by UCSD team, takes advantage of the chosen-prefix collision of the MD5 message in a novel way. The widespread use of RADIUS and its adoption into the cloud allows for such attacks to pose a reasonable threat to the authentication verification process that relies on RADIUS.
RADIUS servers that only perform Extensible Authentication Protocol (EAP), as specified in RFC 3579, are unaffected by this attack. The EAP authentication messages require the Message-Authenticator attribute, which will prevent these attacks from succeeding. The use of TLS (or DTLS) encryption can also prevent such attacks from succeeding. However, RADIUS over TCP itself can still be susceptible to this attack, with more advanced man-in-the-middle scenarios, to successfully attack the TCP connection.
Finally as explained by Alan Dekok, developer of FreeRadius open source software -
> The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will.
Impact
An attacker with access to the network where RADIUS Access-Request is transported can craft a response to the RADIUS server irrespective of the type of response (Access-Accept, Access-Reject, Access-Challenge, or Protocol-Error) to modify the response to any of the valid responses. This can allow an attacker to change the Reject response to an Accept or vice versa. The attack can also potentially intercept an Access-Challenge, typically used in Multi-Factor Authentication (MFA), and modify it to an Access-Accept, thus bypassing the MFA used within RADIUS. Due to the flexible, proxied nature of the RADIUS protocol, any server in the chain of proxied RADIUS servers can be targeted to succeed in the attack.
Solution
Device Manufacturers
RADIUS-compliant software and hardware manufacturers should adopt the recommendations from the Article document to mitigate the risk of the RADIUS protocol limitations identified in this attack. Manufacturers who bundle the open-source RADIUS implementations, such as FreeRadius, should update to the latest available software for both clients and servers and, at a minimum, require the use of the Message-Authenticator for RADIUS authentication.
Operators
Network operators who rely on the RADIUS-based protocol for device and/or user authentication should update their software and configuration to a secure form of the protocol for both clients and servers. This can be done by enforcing TLS or DTLS encryption to secure the communications between the RADIUS client and server. Where possible, network isolation and secure VPN tunnel communications should be enforced for the RADIUS protocol to restrict access to these network resources from untrusted sources.
Acknowledgements
Thanks to Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl who collaborated for this research and supported coordinated vulnerability disclosure to reach multiple vendors and stakeholders. Thanks to Alan Dekok for spearheading the IETF proposal and recommendations. This document was written by Vijay Sarvepalli and Timur Snoke.
Vendor Information
456537
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Advantech Taiwan __ Affected
Notified: 2024-02-05 Updated: 2024-07-09
Statement Date: March 12, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
Advantech will apply the recommended actions per suggested from document VU# 456537 accordingly.
Arista Networks __ Affected
Notified: 2024-02-05 Updated: 2024-07-09
Statement Date: February 08, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
Arista Networks has multiple products which use RADIUS. We plan to issue a security advisory at https://www.arista.com/en/support/advisories-notices that will discuss per-product solutions.
Aruba Networks Affected
Notified: 2024-02-05 Updated: 2024-07-12
Statement Date: July 12, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Check Point __ Affected
Notified: 2024-07-10 Updated: 2024-09-11
Statement Date: September 11, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
Check Point response to CVE-2024-3596 - Blast-RADIUS attack https://support.checkpoint.com/results/sk/sk182516
D-Link Systems Inc. __ Affected
Notified: 2024-02-05 Updated: 2024-07-09
Statement Date: July 02, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
D-Link Corporation has investigated, we are integrating patches as they are available.
We will publish a support announcement at: https://support.dlink.com/index.aspx once relavent product patches are available.
Feel free to reach out to [email protected] if there is any questions regarding security of our products.
FreeBSD __ Affected
Notified: 2024-02-07 Updated: 2024-07-09
Statement Date: May 06, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
FreeBSD has a vulnerable implementation of libradius shipped with the base which is solely used by the pam_radius implementation as shipped. Software may link against the base system and inherit the vulnerability.
FreeRADIUS __ Affected
Notified: 2024-02-05 Updated: 2024-07-09
Statement Date: April 11, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
We are releasing new versions of FreeRADIUS to address this issue. We are also releasing new versions of pam_radius and mod_auth_radius.
Juniper Networks __ Affected
Notified: 2024-02-05 Updated: 2024-07-09
Statement Date: April 26, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
Currently, Juniper don’t support Message-Authenticator however, we support Radius over TLS (Radsec) to mitigate this vulnerability. The PR still should get fixed, but the developer might use our Kryptonite (RLI) to resolve it.
LANCOM Systems GmbH __ Affected
Notified: 2024-03-06 Updated: 2024-07-09
Statement Date: April 24, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
LANCOM is tracking this vulnerability. Some products are affected and firmware-fixes will be prepared ahead of the publication date where possible.
Microsoft __ Affected
Notified: 2024-02-06 Updated: 2024-07-09
Statement Date: July 02, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
Microsoft has addressed this issue in affected versions of Windows as part of the July Patch Tuesday, documented under CVE-2024-3596.
References
/n software Inc. Affected
Notified: 2024-05-02 Updated: 2024-07-09
Statement Date: May 02, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Okta Inc. __ Affected
Notified: 2024-02-06 Updated: 2024-07-09
Statement Date: February 22, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
Regarding the reported vulnerability, from the information that was provided, it seems the affected scenario is when an attacker has control over the client’s network/proxy, it can forge the request to make it seem like the client authenticated to the server. The underlying issue here is the md5 hash collision that is in the RFC for UDP RADAR protocol for authentication verification https://datatracker.ietf.org/doc/html/rfc2865#page-11.
Since Okta RADAR allows the client to use any tool that supports RADAR protocol to connect to the server, this is beyond Okta’s control to make any changes at the moment. To clarify let’s say we use sha256 hash (a stronger hash to prevent collision) instead of md5 as mentioned in the RFC - we will end up breaking freeradius, javaradius (and other clients) as they would still use md5 hashes to compute the changes. In an ideal situation a solution should be proposed that should be adopted by the RADIUS clients first (or both clients and server together or an update to the RFC) in an if/else fashion on md5 or a stronger hash should be used. After that all the radius servers should be updated with this stronger protocol. Let us know if there is any further update to this issue and/or if any other actions that needs to be taken.
OpenVPN Technologies __ Affected
Notified: 2024-02-06 Updated: 2024-07-09
Statement Date: February 09, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
OpenVPN itself is not vulnerable by this attack however software that uses OpenVPN or is closely related to OpenVPN is vulnerable. OpenVPN Access Server is vulnerable and that will by addressed by the suggested mitigations. The externally maintained openvpn-auth-radius plugin for OpenVPN might be also vulnerable. We are trying to reach out to its maintainers.
Palo Alto Networks __ Affected
Notified: 2024-02-05 Updated: 2024-07-25
Statement Date: July 25, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
Palo Alto Networks published the following advisory: https://security.paloaltonetworks.com/CVE-2024-3596
References
Radiator Software __ Affected
Notified: 2024-02-07 Updated: 2024-07-10
Statement Date: July 10, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
Fixed in Radiator v4.29 released on the 9th of July 2024. Radiator Software security notice Radiator revision history for v4.29 and earlier
Red Hat Affected
Notified: 2024-02-07 Updated: 2024-07-09
Statement Date: February 07, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
RSA Affected
Notified: 2024-02-15 Updated: 2024-07-09
Statement Date: April 12, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Siemens __ Affected
Notified: 2024-02-05 Updated: 2024-07-12
Statement Date: July 12, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
The impact of Siemens products is described in Siemens Security Advisories published on https://www.siemens.com/cert/advisories. Search for CVE-2024-3596 to find the relevant advisories.
Current publication(s): * SSA-723487
References
SUSE Linux Affected
Notified: 2024-04-25 Updated: 2024-07-09
Statement Date: May 15, 2024
| CVE-2024-3596 | Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Calix __ Not Affected
Notified: 2024-07-02 Updated: 2024-07-09
Statement Date: July 02, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
Calix Cloud services only leverage RADIUS accounting, rather than RADIUS authentication, which is where this vulnerability lies. RADIUS accounting is a proxy of existing session statuses that have already been authenticated. Accounting proxy was built into RADIUS as an add-on to share session information with other ISPs. Calix uses this functionality for endpoint mapping, accepting only the RADIUS username and Framed IP address, and rejecting all other AVP data in the packet.
eCosCentric __ Not Affected
Notified: 2024-07-10 Updated: 2024-07-11
Statement Date: July 11, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
eCosPro RTOS does not supply RADIUS support
eero Not Affected
Notified: 2024-07-10 Updated: 2024-07-10
Statement Date: July 10, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Fastly Not Affected
Notified: 2024-07-10 Updated: 2024-07-10
Statement Date: July 10, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Honeywell Not Affected
Notified: 2024-02-06 Updated: 2024-07-09
Statement Date: March 08, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
LiteSpeed Technologies Not Affected
Notified: 2024-07-10 Updated: 2024-07-10
Statement Date: July 10, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Paessler Not Affected
Notified: 2024-07-10 Updated: 2024-07-11
Statement Date: July 11, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Peplink Not Affected
Notified: 2024-07-10 Updated: 2024-07-11
Statement Date: July 11, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Phoenix Contact Not Affected
Notified: 2024-02-05 Updated: 2024-07-09
Statement Date: May 23, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Rockwell Automation Not Affected
Notified: 2024-02-06 Updated: 2024-07-09
Statement Date: April 25, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
SolarWinds Not Affected
Notified: 2024-02-06 Updated: 2024-07-09
Statement Date: April 10, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
Wi-Fi Alliance __ Not Affected
Notified: 2024-06-03 Updated: 2024-07-09
Statement Date: June 17, 2024
| CVE-2024-3596 | Not Affected |
|---|
Vendor Statement
In all Wi-Fi Alliance specifications, RADIUS is solely used to transport EAP (802.1X) messages. RADIUS support for EAP is defined in RFC 3579, which requires every Access-Accept and Access-Reject EAP message to be authenticated using a Message-Authenticator attribute. In other words, these messages cannot be forged using the technique described in this attack.
Illumos __ Unknown
Notified: 2024-07-10 Updated: 2024-07-10
Statement Date: July 10, 2024
| CVE-2024-3596 | Unknown |
|---|
Vendor Statement
The only subsystems in illumos-gate that use RADIUS are the WPA supplicant (wpad), which always has EAP, and the iSCSI subsystem. Initial inspections of the iSCSI seem to indicate that Message-Authenticator is always set on Request messages (IOW, the MAY in the spec is interpreted as a MUST by the illumos iSCSI implementation).
Further consultations with iSCSI experts will confirm or deny. I’m leaving illumos as “unknown” until I learn more.
A10 Networks Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
ACCESS Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Actelis Networks Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Actiontec Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
ADTRAN Unknown
Notified: 2024-02-06 Updated: 2024-07-09
Statement Date: February 21, 2024
| CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Advantech Czech Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Akamai Technologies Inc. Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Alcatel-Lucent Enterprise Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Allied Telesis Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Amazon Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Apple Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Arcadyan Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
ARRIS Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
ASUSTeK Computer Inc. Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Atheros Communications Inc Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
AT&T Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Avaya Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Barracuda Networks Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Belden Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Belkin Inc. Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Broadcom Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Brocade Communication Systems Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Cambium Networks Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Ceragon Networks Inc Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Cisco Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Cloudflare Unknown
| Notified: 2024-06-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Comcast Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Commscope Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Contiki OS Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Cradlepoint Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
dd-wrt Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Debian GNU/Linux Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Dell Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Dell EMC Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Dell SecureWorks Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Deutsche Telekom Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Digi International Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
dnsmasq Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Duo Security Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Ericsson Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Espressif Systems Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Extreme Networks Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
F5 Networks Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Force10 Networks Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Forcepoint Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Fortinet Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
General Electric Unknown
| Notified: 2024-05-31 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Gentoo Linux Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Google Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Green Hills Software Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
HardenedBSD Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
HCC Embedded Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Hewlett Packard Enterprise Unknown
Notified: 2024-02-05 Updated: 2024-07-09
Statement Date: April 24, 2024
| CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Hitachi Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
hostapd Unknown
| Notified: 2024-02-16 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
HP Inc. Unknown
| Notified: 2024-06-17 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
HTC Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
IBM Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
IBM Corporation (zseries) Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Infoblox Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Intel Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Lantronix Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Lenovo Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
LG Electronics Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
LibreSSL Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
lwIP Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Marvell Semiconductor Unknown
Notified: 2024-04-30 Updated: 2024-07-09
Statement Date: June 12, 2024
| CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
McAfee Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
MediaTek Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Medtronic Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Metaswitch Networks Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Microchip Technology Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Micro Focus Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
MikroTik Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Miredo Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Mitel Networks Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Motorola Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Muonics Inc. Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
NEC Corporation Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
NetBSD Unknown
| Notified: 2024-02-07 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
NetComm Wireless Limited Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
NETGEAR Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
NETSCOUT Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Nokia Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Nozomi Networks Unknown
| Notified: 2024-05-03 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
NVIDIA Unknown
| Notified: 2024-02-07 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
OMRON Industrial Automation Unknown
Notified: 2024-02-05 Updated: 2024-07-09
Statement Date: February 06, 2024
| CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
OpenBSD Unknown
| Notified: 2024-02-07 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
OpenConnect Ltd Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Openwall GNU/*/Linux Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
OpenWRT Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Oracle Corporation Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
pfSense Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Philips Electronics Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Ping Identity Unknown
| Notified: 2024-03-18 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Proxim Inc. Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Pulse Secure Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
QLogic Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
QNAP Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Qualcomm Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Riverbed Technologies Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Ruckus Wireless Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Samsung Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Samsung Mobile Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Schneider Electric Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Sierra Wireless Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
SITA Unknown
| Notified: 2024-05-31 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
SonicWall Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Sophos Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Symantec Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Synology Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
TDS Telecom Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Tenable Network Security Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
TippingPoint Technologies Inc. Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Tizen Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
TP-LINK Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Treck Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Turbolinux Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Ubiquiti Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Ubiquitous Telecommunications Technology Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Ubuntu Unknown
| Notified: 2024-04-25 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Untangle Unknown
| Notified: 2024-07-10 Updated: 2024-07-10 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Vantiva Unknown
| Notified: 2024-07-11 Updated: 2024-07-12 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Viasat Unknown
| Notified: 2024-02-06 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
VMware Unknown
| Notified: 2024-02-07 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Wind River Unknown
| Notified: 2024-02-07 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
Zyxel Unknown
| Notified: 2024-02-05 Updated: 2024-07-09 CVE-2024-3596 | Unknown |
|---|
Vendor Statement
We have not received a statement from the vendor.
View all 159 vendors __View less vendors __
References
- <https://datatracker.ietf.org/doc/html/rfc2865>
- <https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/>
- <https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf>
- <https://www.blastradius.fail/pdf/radius.pdf>
Other Information
| CVE IDs: | CVE-2024-3596 |
|---|---|
| API URL: | VINCE JSON |
| Date Public: | 2024-07-09 Date First Published: |
Related
