search menu icon-carat-right cmu-wordmark

CERT Coordination Center

RADIUS protocol susceptible to forgery attacks.

Vulnerability Note VU#456537

Original Release Date: 2024-07-09 | Last Revised: 2024-09-24

Overview

A vulnerability in the RADIUS protocol allows an attacker allows an attacker to forge an authentication response in cases where a Message-Authenticator attribute is not required or enforced. This vulnerability results from a cryptographically insecure integrity check when validating authentication responses from a RADIUS server.

Description

RADIUS is a popular lightweight authentication protocol used for networking devices specified in IETF 2058 as early as 1997 (obsoleted by RFC 2138 and then RFC 2865. There have been several other IETF standards (RADIUS/TCP, RADIUS/TLS and RADIUS/DTLS) that cover and enhance various parts of the specification for the use of RADIUS in authentication. RADIUS is widely used to authenticate both users and devices and widely supported by networking devices, from basic network switches to more complex VPN solutions. Recently, RADIUS has also been adopted in much of the cloud services that provide tiered, role-based access-control to resources. As a client-server protocol, RADIUS uses a Request-Response model to verify authentication requests and further provide any role-based access using Groups. RADIUS can also be proxied to support multi-tenant roaming access services.

A vulnerability in the verification of RADIUS Response from a RADIUS server has been disclosed by a team of researchers from UC San Diego and their partners. An attacker, with access to the network where the RADIUS protocol is being transmitted, can spoof a UDP-based RADIUS Response packet to modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response, with almost any content, completely under the attackers control. This allows the attacker to transform a Reject into an Accept without knowledge of the shared secret between the RADIUS client and server. The attack is possible due to a basic flaw in the RADIUS protocol specification that uses a MD5 hash to verify the response, along with the fact that part of the hashed text is predictable allowing for a chosen-prefix collision. The attack, demonstrated by UCSD team, takes advantage of the chosen-prefix collision of the MD5 message in a novel way. The widespread use of RADIUS and its adoption into the cloud allows for such attacks to pose a reasonable threat to the authentication verification process that relies on RADIUS.

RADIUS servers that only perform Extensible Authentication Protocol (EAP), as specified in RFC 3579, are unaffected by this attack. The EAP authentication messages require the Message-Authenticator attribute, which will prevent these attacks from succeeding. The use of TLS (or DTLS) encryption can also prevent such attacks from succeeding. However, RADIUS over TCP itself can still be susceptible to this attack, with more advanced man-in-the-middle scenarios, to successfully attack the TCP connection.

Finally as explained by Alan Dekok, developer of FreeRadius open source software -

The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will.

Impact

An attacker with access to the network where RADIUS Access-Request is transported can craft a response to the RADIUS server irrespective of the type of response (Access-Accept, Access-Reject, Access-Challenge, or Protocol-Error) to modify the response to any of the valid responses. This can allow an attacker to change the Reject response to an Accept or vice versa. The attack can also potentially intercept an Access-Challenge, typically used in Multi-Factor Authentication (MFA), and modify it to an Access-Accept, thus bypassing the MFA used within RADIUS. Due to the flexible, proxied nature of the RADIUS protocol, any server in the chain of proxied RADIUS servers can be targeted to succeed in the attack.

Solution

Device Manufacturers

RADIUS-compliant software and hardware manufacturers should adopt the recommendations from the Article document to mitigate the risk of the RADIUS protocol limitations identified in this attack. Manufacturers who bundle the open-source RADIUS implementations, such as FreeRadius, should update to the latest available software for both clients and servers and, at a minimum, require the use of the Message-Authenticator for RADIUS authentication.

Operators

Network operators who rely on the RADIUS-based protocol for device and/or user authentication should update their software and configuration to a secure form of the protocol for both clients and servers. This can be done by enforcing TLS or DTLS encryption to secure the communications between the RADIUS client and server. Where possible, network isolation and secure VPN tunnel communications should be enforced for the RADIUS protocol to restrict access to these network resources from untrusted sources.

Acknowledgements

Thanks to Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl who collaborated for this research and supported coordinated vulnerability disclosure to reach multiple vendors and stakeholders. Thanks to Alan Dekok for spearheading the IETF proposal and recommendations. This document was written by Vijay Sarvepalli and Timur Snoke.

Vendor Information

456537
 

Advantech Taiwan Affected

Notified:  2024-02-05 Updated: 2024-07-09

Statement Date:   March 12, 2024

CVE-2024-3596 Affected

Vendor Statement

Advantech will apply the recommended actions per suggested from document VU# 456537 accordingly.

Arista Networks Affected

Notified:  2024-02-05 Updated: 2024-07-09

Statement Date:   February 08, 2024

CVE-2024-3596 Affected

Vendor Statement

Arista Networks has multiple products which use RADIUS. We plan to issue a security advisory at https://www.arista.com/en/support/advisories-notices that will discuss per-product solutions.

Aruba Networks Affected

Notified:  2024-02-05 Updated: 2024-07-12

Statement Date:   July 12, 2024

CVE-2024-3596 Affected

Vendor Statement

We have not received a statement from the vendor.

Check Point Affected

Notified:  2024-07-10 Updated: 2024-09-11

Statement Date:   September 11, 2024

CVE-2024-3596 Affected

Vendor Statement

Check Point response to CVE-2024-3596 - Blast-RADIUS attack https://support.checkpoint.com/results/sk/sk182516

D-Link Systems Inc. Affected

Notified:  2024-02-05 Updated: 2024-07-09

Statement Date:   July 02, 2024

CVE-2024-3596 Affected

Vendor Statement

D-Link Corporation has investigated, we are integrating patches as they are available.

We will publish a support announcement at: https://support.dlink.com/index.aspx once relavent product patches are available.

Feel free to reach out to security@dlink.com if there is any questions regarding security of our products.

FreeBSD Affected

Notified:  2024-02-07 Updated: 2024-07-09

Statement Date:   May 06, 2024

CVE-2024-3596 Affected

Vendor Statement

FreeBSD has a vulnerable implementation of libradius shipped with the base which is solely used by the pam_radius implementation as shipped. Software may link against the base system and inherit the vulnerability.

FreeRADIUS Affected

Notified:  2024-02-05 Updated: 2024-07-09

Statement Date:   April 11, 2024

CVE-2024-3596 Affected

Vendor Statement

We are releasing new versions of FreeRADIUS to address this issue. We are also releasing new versions of pam_radius and mod_auth_radius.

Juniper Networks Affected

Notified:  2024-02-05 Updated: 2024-09-24

Statement Date:   September 24, 2024

CVE-2024-3596 Affected

Vendor Statement

Juniper SIRT is aware of the newly announced vulnerability in RADIUS, assigned CVE-2024-3596. Radius protocol susceptible to forgery attacks vulnerability.

This issue potentially affects Junos OS, Junos OS Evolved, cRPD, Junos Space, 128T, Paragon, Contrail, CTP View/CTP OS, Northstar, Apstra, Security Director Cloud, Network and Security Manager, SkyATP/JATP, STRM Security Threat Response Manager, Appformix, Juniper Sky Enterprise and problem reports have been escalated to Development.

This issue does not affect Mist, JSA Series, JIMS Juniper Identity Management Service and Juniper Networks SecIntel.

LANCOM Systems GmbH Affected

Notified:  2024-03-06 Updated: 2024-07-09

Statement Date:   April 24, 2024

CVE-2024-3596 Affected

Vendor Statement

LANCOM is tracking this vulnerability. Some products are affected and firmware-fixes will be prepared ahead of the publication date where possible.

Microsoft Affected

Notified:  2024-02-06 Updated: 2024-07-09

Statement Date:   July 02, 2024

CVE-2024-3596 Affected

Vendor Statement

Microsoft has addressed this issue in affected versions of Windows as part of the July Patch Tuesday, documented under CVE-2024-3596.

References

/n software Inc. Affected

Notified:  2024-05-02 Updated: 2024-07-09

Statement Date:   May 02, 2024

CVE-2024-3596 Affected

Vendor Statement

We have not received a statement from the vendor.

Okta Inc. Affected

Notified:  2024-02-06 Updated: 2024-07-09

Statement Date:   February 22, 2024

CVE-2024-3596 Affected

Vendor Statement

Regarding the reported vulnerability, from the information that was provided, it seems the affected scenario is when an attacker has control over the client's network/proxy, it can forge the request to make it seem like the client authenticated to the server. The underlying issue here is the md5 hash collision that is in the RFC for UDP RADAR protocol for authentication verification https://datatracker.ietf.org/doc/html/rfc2865#page-11.

Since Okta RADAR allows the client to use any tool that supports RADAR protocol to connect to the server, this is beyond Okta's control to make any changes at the moment. To clarify let's say we use sha256 hash (a stronger hash to prevent collision) instead of md5 as mentioned in the RFC - we will end up breaking freeradius, javaradius (and other clients) as they would still use md5 hashes to compute the changes. In an ideal situation a solution should be proposed that should be adopted by the RADIUS clients first (or both clients and server together or an update to the RFC) in an if/else fashion on md5 or a stronger hash should be used. After that all the radius servers should be updated with this stronger protocol. Let us know if there is any further update to this issue and/or if any other actions that needs to be taken.

OpenVPN Technologies Affected

Notified:  2024-02-06 Updated: 2024-07-09

Statement Date:   February 09, 2024

CVE-2024-3596 Affected

Vendor Statement

OpenVPN itself is not vulnerable by this attack however software that uses OpenVPN or is closely related to OpenVPN is vulnerable. OpenVPN Access Server is vulnerable and that will by addressed by the suggested mitigations. The externally maintained openvpn-auth-radius plugin for OpenVPN might be also vulnerable. We are trying to reach out to its maintainers.

Palo Alto Networks Affected

Notified:  2024-02-05 Updated: 2024-07-25

Statement Date:   July 25, 2024

CVE-2024-3596 Affected

Vendor Statement

Palo Alto Networks published the following advisory: https://security.paloaltonetworks.com/CVE-2024-3596

References

Radiator Software Affected

Notified:  2024-02-07 Updated: 2024-07-10

Statement Date:   July 10, 2024

CVE-2024-3596 Affected

Vendor Statement

Fixed in Radiator v4.29 released on the 9th of July 2024. Radiator Software security notice Radiator revision history for v4.29 and earlier

Red Hat Affected

Notified:  2024-02-07 Updated: 2024-07-09

Statement Date:   February 07, 2024

CVE-2024-3596 Affected

Vendor Statement

We have not received a statement from the vendor.

RSA Affected

Notified:  2024-02-15 Updated: 2024-07-09

Statement Date:   April 12, 2024

CVE-2024-3596 Affected

Vendor Statement

We have not received a statement from the vendor.

Siemens Affected

Notified:  2024-02-05 Updated: 2024-07-12

Statement Date:   July 12, 2024

CVE-2024-3596 Affected

Vendor Statement

The impact of Siemens products is described in Siemens Security Advisories published on https://www.siemens.com/cert/advisories. Search for CVE-2024-3596 to find the relevant advisories.

Current publication(s): * SSA-723487

References

SUSE Linux Affected

Notified:  2024-04-25 Updated: 2024-07-09

Statement Date:   May 15, 2024

CVE-2024-3596 Affected

Vendor Statement

We have not received a statement from the vendor.

Calix Not Affected

Notified:  2024-07-02 Updated: 2024-07-09

Statement Date:   July 02, 2024

CVE-2024-3596 Not Affected

Vendor Statement

Calix Cloud services only leverage RADIUS accounting, rather than RADIUS authentication, which is where this vulnerability lies. RADIUS accounting is a proxy of existing session statuses that have already been authenticated. Accounting proxy was built into RADIUS as an add-on to share session information with other ISPs. Calix uses this functionality for endpoint mapping, accepting only the RADIUS username and Framed IP address, and rejecting all other AVP data in the packet.

eCosCentric Not Affected

Notified:  2024-07-10 Updated: 2024-07-11

Statement Date:   July 11, 2024

CVE-2024-3596 Not Affected

Vendor Statement

eCosPro RTOS does not supply RADIUS support

eero Not Affected

Notified:  2024-07-10 Updated: 2024-07-10

Statement Date:   July 10, 2024

CVE-2024-3596 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Fastly Not Affected

Notified:  2024-07-10 Updated: 2024-07-10

Statement Date:   July 10, 2024

CVE-2024-3596 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Honeywell Not Affected

Notified:  2024-02-06 Updated: 2024-07-09

Statement Date:   March 08, 2024

CVE-2024-3596 Not Affected

Vendor Statement

We have not received a statement from the vendor.

LiteSpeed Technologies Not Affected

Notified:  2024-07-10 Updated: 2024-07-10

Statement Date:   July 10, 2024

CVE-2024-3596 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Paessler Not Affected

Notified:  2024-07-10 Updated: 2024-07-11

Statement Date:   July 11, 2024

CVE-2024-3596 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Peplink Not Affected

Notified:  2024-07-10 Updated: 2024-07-11

Statement Date:   July 11, 2024

CVE-2024-3596 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Phoenix Contact Not Affected

Notified:  2024-02-05 Updated: 2024-07-09

Statement Date:   May 23, 2024

CVE-2024-3596 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Rockwell Automation Not Affected

Notified:  2024-02-06 Updated: 2024-07-09

Statement Date:   April 25, 2024

CVE-2024-3596 Not Affected

Vendor Statement

We have not received a statement from the vendor.

SolarWinds Not Affected

Notified:  2024-02-06 Updated: 2024-07-09

Statement Date:   April 10, 2024

CVE-2024-3596 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Wi-Fi Alliance Not Affected

Notified:  2024-06-03 Updated: 2024-07-09

Statement Date:   June 17, 2024

CVE-2024-3596 Not Affected

Vendor Statement

In all Wi-Fi Alliance specifications, RADIUS is solely used to transport EAP (802.1X) messages. RADIUS support for EAP is defined in RFC 3579, which requires every Access-Accept and Access-Reject EAP message to be authenticated using a Message-Authenticator attribute. In other words, these messages cannot be forged using the technique described in this attack.

Illumos Unknown

Notified:  2024-07-10 Updated: 2024-07-10

Statement Date:   July 10, 2024

CVE-2024-3596 Unknown

Vendor Statement

The only subsystems in illumos-gate that use RADIUS are the WPA supplicant (wpad), which always has EAP, and the iSCSI subsystem. Initial inspections of the iSCSI seem to indicate that Message-Authenticator is always set on Request messages (IOW, the MAY in the spec is interpreted as a MUST by the illumos iSCSI implementation).

Further consultations with iSCSI experts will confirm or deny. I'm leaving illumos as "unknown" until I learn more.

A10 Networks Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

ACCESS Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Actelis Networks Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Actiontec Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

ADTRAN Unknown

Notified:  2024-02-06 Updated: 2024-07-09

Statement Date:   February 21, 2024

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Advantech Czech Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Akamai Technologies Inc. Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Alcatel-Lucent Enterprise Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Allied Telesis Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Apple Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Arcadyan Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

ARRIS Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

ASUSTeK Computer Inc. Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Atheros Communications Inc Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

AT&T Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Avaya Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Barracuda Networks Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Belden Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Belkin Inc. Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Broadcom Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Brocade Communication Systems Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cambium Networks Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ceragon Networks Inc Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cisco Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cloudflare Unknown

Notified:  2024-06-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Comcast Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Commscope Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Contiki OS Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cradlepoint Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

dd-wrt Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Debian GNU/Linux Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell EMC Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell SecureWorks Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Deutsche Telekom Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Digi International Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

dnsmasq Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Duo Security Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ericsson Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Espressif Systems Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Extreme Networks Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

F5 Networks Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Force10 Networks Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Forcepoint Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Fortinet Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

General Electric Unknown

Notified:  2024-05-31 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Gentoo Linux Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Green Hills Software Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

HardenedBSD Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

HCC Embedded Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified:  2024-02-05 Updated: 2024-07-09

Statement Date:   April 24, 2024

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hitachi Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

hostapd Unknown

Notified:  2024-02-16 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2024-06-17 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

HTC Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Corporation (zseries) Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Infoblox Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Intel Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lantronix Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

LG Electronics Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

LibreSSL Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

lwIP Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Marvell Semiconductor Unknown

Notified:  2024-04-30 Updated: 2024-07-09

Statement Date:   June 12, 2024

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

McAfee Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

MediaTek Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Medtronic Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Metaswitch Networks Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Microchip Technology Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Micro Focus Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

MikroTik Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Miredo Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Mitel Networks Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Motorola Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Muonics Inc. Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

NEC Corporation Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

NetBSD Unknown

Notified:  2024-02-07 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

NetComm Wireless Limited Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

NETGEAR Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

NETSCOUT Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Nokia Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Nozomi Networks Unknown

Notified:  2024-05-03 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

NVIDIA Unknown

Notified:  2024-02-07 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

OMRON Industrial Automation Unknown

Notified:  2024-02-05 Updated: 2024-07-09

Statement Date:   February 06, 2024

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenBSD Unknown

Notified:  2024-02-07 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenConnect Ltd Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Openwall GNU/*/Linux Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenWRT Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Oracle Corporation Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

pfSense Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Philips Electronics Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ping Identity Unknown

Notified:  2024-03-18 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Proxim Inc. Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Pulse Secure Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

QLogic Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

QNAP Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Qualcomm Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Riverbed Technologies Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ruckus Wireless Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Samsung Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Samsung Mobile Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Schneider Electric Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sierra Wireless Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

SITA Unknown

Notified:  2024-05-31 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

SonicWall Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sophos Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Symantec Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Synology Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

TDS Telecom Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Tenable Network Security Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

TippingPoint Technologies Inc. Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Tizen Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

TP-LINK Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Treck Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Turbolinux Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ubiquiti Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ubiquitous Telecommunications Technology Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ubuntu Unknown

Notified:  2024-04-25 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Untangle Unknown

Notified:  2024-07-10 Updated: 2024-07-10

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Vantiva Unknown

Notified:  2024-07-11 Updated: 2024-07-12

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Viasat Unknown

Notified:  2024-02-06 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

VMware Unknown

Notified:  2024-02-07 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Wind River Unknown

Notified:  2024-02-07 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

Zyxel Unknown

Notified:  2024-02-05 Updated: 2024-07-09

CVE-2024-3596 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 159 vendors View less vendors


Other Information

CVE IDs: CVE-2024-3596
API URL: VINCE JSON | CSAF
Date Public: 2024-07-09
Date First Published: 2024-07-09
Date Last Updated: 2024-09-24 22:09 UTC
Document Revision: 11

Sponsored by CISA.