hostapd and RADIUS protocol forgery attacks

Published: July 9, 2024
Identifiers:
- VU#456537 and CVE-2024-3596
Latest version available from: https://w1.fi/security/2024-1/

Vulnerability

A vulnerability in the RADIUS protocol has been identified with impact
to various use cases. This allows an attacker to forge a response in
cases where a Message-Authenticator attribute is not required.

More details on the attack can be found at following locations:
https://kb.cert.org/vuls/id/456537
https://www.blastradius.fail/

Depending on configuration, hostapd can act as a RADIUS client or a
RADIUS server. The main use case of a Wi-Fi access point with
WPA3-Enterprise uses the RADIUS client case for EAP
authentication. hostapd is not vulnerable to the attack in that case due
to the enforced requirement of the valid Message-Authenticator attribute
being present in all RADIUS messages with an EAP-Message attribute and
also in the Access-Accept message even without that attribute.

hostapd can be configured to use an external RADIUS server for MAC
address based access control. At least in theory, the vulnerability
might be applicable for that case. However, it should be noted that MAC
address based access control does not provide any real security, so the
impact from this would be minimal in practice.

hostapd as RADIUS server was already enforcing presence of a valid
Message-Authenticator attribute and as such, the vulnerability is not
applicable for that use case. However, some of the proposed mitigation
steps can be implemented for this case to avoid the issue with RADIUS
clients that are impacted.


Possible mitigation steps and incremental security improvements

Mitigation for cases where the other end of the RADIUS connection might
not have been updated:

RADIUS: Allow Message-Authenticator attribute as the first attribute
https://w1.fi/cgit/hostap/commit/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46

RADIUS server: Place Message-Authenticator attribute as the first one
https://w1.fi/cgit/hostap/commit/?id=54abb0d3cf35894e7d86e3f7555e95b106306803

eapol_test: Move Message-Authenticator attribute to be the first one
https://w1.fi/cgit/hostap/commit/?id=689a248260c9708e6c92cd8635382725a29e34ca

hostapd: Move Message-Authenticator attribute to be the first one in req
https://w1.fi/cgit/hostap/commit/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17

RADIUS DAS: Move Message-Authenticator attribute to be the first one
https://w1.fi/cgit/hostap/commit/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf

Even stricter validation of Message-Authenticator:

Require Message-Authenticator in Access-Reject even without EAP-Message
https://w1.fi/cgit/hostap/commit/?id=934b0c3a45ce0726560ccefbd992a9d385c36385

RADIUS: Require Message-Authenticator attribute in MAC ACL cases
https://w1.fi/cgit/hostap/commit/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1

RADIUS: Check Message-Authenticator if it is present even if not required
https://w1.fi/cgit/hostap/commit/?id=f302d9f9646704cce745734af21d540baa0da65f