hostapd and RADIUS protocol forgery attacks Published: July 9, 2024 Identifiers: - VU#456537 and CVE-2024-3596 Latest version available from: https://w1.fi/security/2024-1/ Vulnerability A vulnerability in the RADIUS protocol has been identified with impact to various use cases. This allows an attacker to forge a response in cases where a Message-Authenticator attribute is not required. More details on the attack can be found at following locations: https://kb.cert.org/vuls/id/456537 https://www.blastradius.fail/ Depending on configuration, hostapd can act as a RADIUS client or a RADIUS server. The main use case of a Wi-Fi access point with WPA3-Enterprise uses the RADIUS client case for EAP authentication. hostapd is not vulnerable to the attack in that case due to the enforced requirement of the valid Message-Authenticator attribute being present in all RADIUS messages with an EAP-Message attribute and also in the Access-Accept message even without that attribute. hostapd can be configured to use an external RADIUS server for MAC address based access control. At least in theory, the vulnerability might be applicable for that case. However, it should be noted that MAC address based access control does not provide any real security, so the impact from this would be minimal in practice. hostapd as RADIUS server was already enforcing presence of a valid Message-Authenticator attribute and as such, the vulnerability is not applicable for that use case. However, some of the proposed mitigation steps can be implemented for this case to avoid the issue with RADIUS clients that are impacted. Possible mitigation steps and incremental security improvements Mitigation for cases where the other end of the RADIUS connection might not have been updated: RADIUS: Allow Message-Authenticator attribute as the first attribute https://w1.fi/cgit/hostap/commit/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46 RADIUS server: Place Message-Authenticator attribute as the first one https://w1.fi/cgit/hostap/commit/?id=54abb0d3cf35894e7d86e3f7555e95b106306803 eapol_test: Move Message-Authenticator attribute to be the first one https://w1.fi/cgit/hostap/commit/?id=689a248260c9708e6c92cd8635382725a29e34ca hostapd: Move Message-Authenticator attribute to be the first one in req https://w1.fi/cgit/hostap/commit/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17 RADIUS DAS: Move Message-Authenticator attribute to be the first one https://w1.fi/cgit/hostap/commit/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf Even stricter validation of Message-Authenticator: Require Message-Authenticator in Access-Reject even without EAP-Message https://w1.fi/cgit/hostap/commit/?id=934b0c3a45ce0726560ccefbd992a9d385c36385 RADIUS: Require Message-Authenticator attribute in MAC ACL cases https://w1.fi/cgit/hostap/commit/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1 RADIUS: Check Message-Authenticator if it is present even if not required https://w1.fi/cgit/hostap/commit/?id=f302d9f9646704cce745734af21d540baa0da65f