KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 (2024)

Windows Server 2008 Datacenter ESU Windows Server 2008 Standard ESU Windows Server 2008 Enterprise ESU Windows Server 2008 R2 Enterprise ESU Windows Server 2008 R2 Standard ESU Windows Server 2008 R2 Datacenter ESU Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows 10, version 1607, all editions Windows Server 2016 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows 11 SE, version 21H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 SE, version 22H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows Server 2022 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 IoT Enterprise, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 More...Less

ImportantCertain versions of Microsoft Windows have reached the end of support. Note that some versions of Windows may be supported past the latest OS end date when Extended Security Updates (ESUs) are available. SeeLifecycle FAQ - Extended Security Updatesfor a list of products offering ESUs.

Contents

  • Summary

  • Take action

  • Events added by this update

  • Configurations​​​​​​​

  • Frequently asked questions

  • References

Summary

This update addresses a security vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol related to MD5 collision problems. Because of weak integrity checks in MD5, an attacker might tamper with packets to gain unauthorized access. MD5 vulnerability makesUser Datagram Protocol (UDP)based RADIUS traffic over the Internet nonsecure against packet forgery or modification during transit.

For more information about this vulnerability, see CVE-2024-3596and the whitepaperRADIUS AND MD5 COLLISION ATTACKS.

NOTE This vulnerability requires physical access to the RADIUS network and the Network Policy Server (NPS). Therefore, customers who have secured RADIUS networks are not vulnerable. Additionally, the vulnerability does not apply when RADIUS communication occurs over VPN.

Take action

To help protect your environment, we recommend enabling the following configurations.For more information, see the Configurations section.

  • Set the Message-Authenticator attribute in Access-Request packets.

    Make sure all Access-Request packets include the Message-Authenticator attribute.

  • Verify the Message-Authenticator attribute in Access-Request packets.

    Consider enforcing validation of the Message-Authenticator attribute on Access-Request packets. Access-Request packets without this attribute will not be processed.

  • Verify the Message-Authenticator attribute in Access-Request packets if the Proxy-State attribute is present.

    Optional:Enable the limitProxyState configuration if enforcing validation of the Message-Authenticator attribute on Access-Request packets cannot be performed. This configuration will validate that Access-Request packets containing the Proxy-State attribute also contain the Message-Authenticator attribute.

  • Verify the Message-Authenticator attribute in RADIUS response packets: Access-Accept, Access-Reject and Access-Challenge.

    Enable the requireMsgAuth configuration to enforce dropping the RADIUS response packets from remote servers that lack the Message-Authenticator attribute.

Events added by this update

For more information, see the Configurations section.

The Access-Request packet was dropped because it contained the Proxy-State attribute but lacked the Message-Authenticator attribute. Consider changing the RADIUS client to include the Message-Authenticator attribute. Or, alternatively, add an exception for the RADIUS client by using the limitProxyState configuration.

Event log

System

Event type

Error

Event source

NPS

Event ID

4418

Event text

An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. As a result, the request was dropped. The Message-Authenticator attribute is mandatory for security purposes. See https://support.microsoft.com/help/5040268 to learn more.

This is an audit event for Access-Request packets without the Message-Authenticator attribute in presence of Proxy-State. Consider changing the RADIUS client to include the Message-Authenticator attribute. The RADIUS packet will be dropped once the limitproxystate configuration is enabled.

Event log

System

Event type

Warning

Event source

NPS

Event ID

4419

Event text

An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. The request is currently allowed since the limitProxyState is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more.

This is an Audit event for RADIUS response packets received without the Message-Authenticator attribute at the proxy. Consider changing the specified RADIUS server for the Message-Authenticator attribute. The RADIUS packet will be dropped once the requiremsgauth configuration is enabled.

Event log

System

Event type

Warning

Event source

NPS

Event ID

4420

Event text

The RADIUS Proxy received a response from server <ip/name> with a missing Message-Authenticator attribute. Response is currently allowed since the requireMsgAuth is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more.

This event is logged during service start when the recommended settings are not configured. Consider enabling the settings if the RADIUS network is unsecure. For secure networks, these events can be ignored.

Event log

System

Event type

Warning

Event source

NPS

Event ID

4421

Event text

RequireMsgAuth and/or limitProxyState configuration is in <Disable/Audit> mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more.

Configurations

This configuration enables the NPS Proxy to start sending the Message-Authenticator attribute in all Access-Request packets. To enable this configuration, use one of the following methods.

Method 1: Use the NPS Microsoft Management Console (MMC)

To use the NPS MMC, follow these steps:

  1. Open the NPS user interface (UI) on the server.

  2. Open the remote Radius Server Groups.

  3. Select Radius Server.

  4. Go to Authentication/Accounting.

  5. Click to select the The request must contain the Message-Authenticator attribute checkbox.

Method 2: Use the netsh command

To use netsh, run the following command:

netsh nps set remoteserver remoteservergroup = <server group name> address = <server address> requireauthattrib = yes

For more information, see Remote RADIUS Server Group Commands.

This configuration requires the Message-Authenticator attribute in all Access-Request messages and drops the packet if absent.

Method 1: Use the NPS Microsoft Management Console (MMC)

To use the NPS MMC, follow these steps:

  1. Open the NPS user interface (UI) on the server.

  2. Open Radius Clients.

  3. Select Radius Client.

  4. Go to Advance Settings.

  5. Click to select the Access-Request messages must contain the message-authenticator attribute checkbox.

For more information, see Configure RADIUS Clients.

Method 2: Use netsh command

To use netsh, run the following command:

netsh nps set client name = <client name> requireauthattrib = yes

For more information, see Remote RADIUS Server Group Commands.

This configuration enables the NPS server to drop potential vulnerable Access-Request packets that contain a Proxy-State attribute, but do not include a Message-Authenticator attribute. This configuration supports three modes:

  • Audit

  • Enable

  • Disable

In Audit mode, a warning event (Event ID: 4419) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the requests.

Use the netsh command to configure, enable, and add an exception as needed.

  1. To configure clients in Audit mode, run the following command:

    netsh nps set limitproxystate all = "audit"

  2. To configure clients in Enable mode, run the following command:

    netsh nps set limitproxystate all = "enable"

  3. To add an exception to exclude a client from limitProxystate validation, run the following command:

    netsh nps set limitproxystate name = <client name> exception = "Yes"

This configuration enables NPS Proxy to drop potentially vulnerable response messages without the Message-Authenticator attribute.This configuration supports three modes:

  • Audit

  • Enable

  • Disable

InAuditmode, a warning event (Event ID: 4420) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the responses.

Use thenetshcommand to configure, enable, and add an exception as needed.

  1. To configure servers inAuditmode, run the following command:

    netsh nps set requiremsgauthall = "audit"

  2. To enable configurations for all servers, run the following command:

    netsh nps set limitproxystate all = "enable"

  3. To add an exception to exclude a server fromrequireauthmsgvalidation, run the following command:

    netsh nps set requiremsgauth remoteservergroup = <remote server group name> address = <server address> exception = "yes"

Frequently asked questions

Check NPS module events for related events. Consider adding exceptions or configuration adjustments for affected clients/servers.

No, the configurations discussed in this article are recommended for unsecured networks.

References

Description of the standard terminology that is used to describe Microsoft software updates

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 (1)

Microsoft 365 subscription benefits

KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 (2)

Microsoft 365 training

KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 (3)

Microsoft security

KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 (4)

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 (5)

Ask the Microsoft Community

KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 (6)

Microsoft Tech Community

KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Nicola Considine CPA

Last Updated:

Views: 6028

Rating: 4.9 / 5 (49 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Nicola Considine CPA

Birthday: 1993-02-26

Address: 3809 Clinton Inlet, East Aleisha, UT 46318-2392

Phone: +2681424145499

Job: Government Technician

Hobby: Calligraphy, Lego building, Worldbuilding, Shooting, Bird watching, Shopping, Cooking

Introduction: My name is Nicola Considine CPA, I am a determined, witty, powerful, brainy, open, smiling, proud person who loves writing and wants to share my knowledge and understanding with you.