We have an efficient forgery attack against the Response Authenticator used to authenticate RADIUS server Access-Accept or Access-Reject messages. This is a protocol vulnerability against RFC 2865 and applies to RADIUS/UDP. It allows a man-in-the-middle attacker to forge a valid Access-Accept response to a client request that has been rejected by the RADIUS server, and gain access to the network resources and devices for which the RADIUS client may authorize users. The Response Authenticator is an MD5 hash of values from the RADIUS client request and server response together with a fixed shared secret (unknown to our attacker) that is shared between the RADIUS client and server. The first byte of an Access-Accept and Access-Reject message differ. The attacker executes a so-called chosen-prefix collision attack on MD5 to change the message type in the first byte and any relevant packet attributes while ensuring that the Access-Reject and forged Access-Accept both produce the same Response Authenticator.

VIP AH 3.1

https://www.cve.org/CVERecord?id=CVE-2024-3596

VIP Authentication Hub does not use the Radius protocol so it is not impacted by this vulnerability.