On July 7, 2024, security researchers disclosed the following vulnerability in the RADIUS protocol:
CVE-2024-3596: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by an on-path attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
This vulnerability may impact any RADIUS client and server. For a description of this vulnerability, see VU#456537: RADIUS protocol susceptible to forgery attacks [âhttps://www.kb.cert.org/vuls/id/456537â].
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3 [âhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3â]
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | cisco_adaptive_security_appliance_\(asa\)_software | any | cpe:2.3:a:cisco:cisco_adaptive_security_appliance_\(asa\)_software:any:*:*:*:*:*:*:* |