Applies ToWindows Server 2008 Datacenter ESU Windows Server 2008 Standard ESU Windows Server 2008 Enterprise ESU Windows Server 2008 R2 Enterprise ESU Windows Server 2008 R2 Standard ESU Windows Server 2008 R2 Datacenter ESU Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows 10, version 1607, all editions Windows Server 2016 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows 11 SE, version 21H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 SE, version 22H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows Server 2022 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 IoT Enterprise, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2

Important Certain versions of Microsoft Windows have reached the end of support. Note that some versions of Windows may be supported past the latest OS end date when Extended Security Updates (ESUs) are available. See Lifecycle FAQ - Extended Security Updates for a list of products offering ESUs.

Change date

Change description

August 1, 2024

  • Minor formatting changes for readability

  • In the "Configure verification of the Message-Authenticator attribute in all Access-Request packets on the client" configuration, the word "message" was used instead of "packet"

August 5, 2024

  • Added link for User Datagram Protocol (UDP)

  • Added link for Network Policy Server (NPS)

August 6, 2024

  • Updated the "Summary" section to indicate these changes are included in the Windows updates dated on or after July 9, 2024

  • Updated the bullet points in the "Take action" section to indicate we recommend turning the options on. These options are turned off by default.

  • Added a note to the "Events added by this update" section to indicate the Event IDs are added to the NPS server by the Windows updates dated on or after July 9, 2024

Contents

Summary

The Windows updates dated on or after July 9, 2024 address a security vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol related to MD5 collision problems. Because of weak integrity checks in MD5, an attacker might tamper with packets to gain unauthorized access. MD5 vulnerability makes User Datagram Protocol (UDP) based RADIUS traffic over the Internet nonsecure against packet forgery or modification during transit. 

For more information about this vulnerability, see CVE-2024-3596 and the whitepaper RADIUS AND MD5 COLLISION ATTACKS.

NOTE This vulnerability requires physical access to the RADIUS network and the Network Policy Server (NPS). Therefore, customers who have secured RADIUS networks are not vulnerable. Additionally, the vulnerability does not apply when RADIUS communication occurs over VPN. 

Take action

To help protect your environment, we recommend enabling the following configurations. For more information, see the Configurations section.

  • Set the Message-Authenticator attribute in Access-Request packets. Make sure all Access-Request packets include the Message-Authenticator attribute. By default, the option to set the Message-Authenticator attribute is turned off. We recommend turning this option on.

  • Verify the Message-Authenticator attribute in Access-Request packets. Consider enforcing validation of the Message-Authenticator attribute on Access-Request packets. Access-Request packets without this attribute will not be processed. By default, the Access-Request messages must contain the message-authenticator attribute option is turned off. We recommend turning this option on.

  • Verify the Message-Authenticator attribute in Access-Request packets if the Proxy-State attribute is present. Optionally, enable the limitProxyState option if enforcing validation of the Message-Authenticator attribute on every Access-Request packet cannot be performed. limitProxyState enforces dropping Access-Request packets containing the Proxy-state attribute without the Message-Authenticator attribute. By default, the limitproxystate option is turned off. We recommend turning this option on.​​​​​​​

  • Verify the Message-Authenticator attribute in RADIUS response packets: Access-Accept, Access-Reject and Access-Challenge. Enable the requireMsgAuth option to enforce dropping the RADIUS response packets from remote servers without the Message-Authenticator attribute. By default, the requiremsgauth option is turned off. We recommend turning this option on.

Events added by this update

For more information, see the Configurations section.

Note These Event IDs are added to the NPS server by the Windows updates dated on or after July 9, 2024.

The Access-Request packet was dropped because it contained the Proxy-State attribute but lacked the Message-Authenticator attribute. Consider changing the RADIUS client to include the Message-Authenticator attribute. Or, alternatively, add an exception for the RADIUS client by using the limitProxyState configuration.

Event log

System

Event type

Error

Event source

NPS

Event ID

4418

Event text

An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. As a result, the request was dropped. The Message-Authenticator attribute is mandatory for security purposes. See https://support.microsoft.com/help/5040268 to learn more. 

This is an audit event for Access-Request packets without the Message-Authenticator attribute in presence of Proxy-State. Consider changing the RADIUS client to include the Message-Authenticator attribute. The RADIUS packet will be dropped once the limitproxystate configuration is enabled.

Event log

System

Event type

Warning

Event source

NPS

Event ID

4419

Event text

An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. The request is currently allowed since the limitProxyState is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more. 

This is an Audit event for RADIUS response packets received without the Message-Authenticator attribute at the proxy. Consider changing the specified RADIUS server for the Message-Authenticator attribute. The RADIUS packet will be dropped once the requiremsgauth configuration is enabled.

Event log

System

Event type

Warning

Event source

NPS

Event ID

4420

Event text

The RADIUS Proxy received a response from server <ip/name> with a missing Message-Authenticator attribute. Response is currently allowed since the requireMsgAuth is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more.

This event is logged during service start when the recommended settings are not configured. Consider enabling the settings if the RADIUS network is unsecure. For secure networks, these events can be ignored.

Event log

System

Event type

Warning

Event source

NPS

Event ID

4421

Event text

RequireMsgAuth and/or limitProxyState configuration is in <Disable/Audit> mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more.

Configurations

This configuration enables the NPS Proxy to start sending the Message-Authenticator attribute in all Access-Request packets. To enable this configuration, use one of the following methods.

Method 1: Use the NPS Microsoft Management Console (MMC)

To use the NPS MMC, follow these steps:

  1. Open the NPS user interface (UI) on the server.

  2. Open the remote Radius Server Groups.

  3. Select Radius Server.

  4. Go to Authentication/Accounting.

  5. Click to select the The request must contain the Message-Authenticator attribute checkbox.

Method 2: Use the netsh command

To use netsh, run the following command:

netsh nps set remoteserver remoteservergroup = <server group name> address = <server address> requireauthattrib = yes

For more information, see Remote RADIUS Server Group Commands.

This configuration requires the Message-Authenticator attribute in all Access-Request packets and drops the packet if absent.

Method 1: Use the NPS Microsoft Management Console (MMC)

To use the NPS MMC, follow these steps:

  1. Open the NPS user interface (UI) on the server.

  2. Open Radius Clients.

  3. Select Radius Client.

  4. Go to Advance Settings.

  5. Click to select the Access-Request messages must contain the message-authenticator attribute checkbox.

For more information, see Configure RADIUS Clients.

Method 2: Use netsh command

To use netsh, run the following command:

netsh nps set client name = <client name> requireauthattrib = yes

For more information, see Remote RADIUS Server Group Commands.

This configuration enables the NPS server to drop potential vulnerable Access-Request packets that contain a Proxy-State attribute, but do not include a Message-Authenticator attribute. This configuration supports three modes:

  • Audit

  • Enable

  • Disable

In Audit mode, a warning event (Event ID: 4419) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the requests.

Use the netsh command to configure, enable, and add an exception as needed.

  1. To configure clients in Audit mode, run the following command:

    netsh nps set limitproxystate all = "audit"

  2. To configure clients in Enable mode, run the following command:

    netsh nps set limitproxystate all = "enable" 

  3. To add an exception to exclude a client from limitProxystate validation, run the following command:

    netsh nps set limitproxystate name = <client name> exception = "Yes" 

This configuration enables NPS Proxy to drop potentially vulnerable response messages without the Message-Authenticator attribute. This configuration supports three modes:

  • Audit

  • Enable

  • Disable

In Audit mode, a warning event (Event ID: 4420) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the responses.

Use the netsh command to configure, enable, and add an exception as needed.

  1. To configure servers in Audit mode, run the following command:

    netsh nps set requiremsgauth all = "audit"

  2. To enable configurations for all servers, run the following command:

    netsh nps set requiremsgauth all = "enable"

  3. To add an exception to exclude a server from requireauthmsg validation, run the following command:

    netsh nps set requiremsgauth remoteservergroup = <remote server group name> address = <server address> exception = "yes"

Frequently asked questions

Check NPS module events for related events. Consider adding exceptions or configuration adjustments for affected clients/servers.

No, the configurations discussed in this article are recommended for unsecured networks. 

References

Description of the standard terminology that is used to describe Microsoft software updates

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.