Important Certain versions of Microsoft Windows have reached the end of support. Note that some versions of Windows may be supported past the latest OS end date when Extended Security Updates (ESUs) are available. See Lifecycle FAQ - Extended Security Updates for a list of products offering ESUs.
Change date |
Change description |
August 1, 2024 |
|
August 5, 2024 |
|
August 6, 2024 |
|
Contents
Summary
The Windows updates dated on or after July 9, 2024 address a security vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol related to MD5 collision problems. Because of weak integrity checks in MD5, an attacker might tamper with packets to gain unauthorized access. MD5 vulnerability makes User Datagram Protocol (UDP) based RADIUS traffic over the Internet nonsecure against packet forgery or modification during transit.
For more information about this vulnerability, see CVE-2024-3596 and the whitepaper RADIUS AND MD5 COLLISION ATTACKS.
NOTE This vulnerability requires physical access to the RADIUS network and the Network Policy Server (NPS). Therefore, customers who have secured RADIUS networks are not vulnerable. Additionally, the vulnerability does not apply when RADIUS communication occurs over VPN.
Take action
To help protect your environment, we recommend enabling the following configurations. For more information, see the Configurations section.
|
Events added by this update
For more information, see the Configurations section.
Note These Event IDs are added to the NPS server by the Windows updates dated on or after July 9, 2024.
The Access-Request packet was dropped because it contained the Proxy-State attribute but lacked the Message-Authenticator attribute. Consider changing the RADIUS client to include the Message-Authenticator attribute. Or, alternatively, add an exception for the RADIUS client by using the limitProxyState configuration.
Event log |
System |
Event type |
Error |
Event source |
NPS |
Event ID |
4418 |
Event text |
An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. As a result, the request was dropped. The Message-Authenticator attribute is mandatory for security purposes. See https://support.microsoft.com/help/5040268 to learn more. |
This is an audit event for Access-Request packets without the Message-Authenticator attribute in presence of Proxy-State. Consider changing the RADIUS client to include the Message-Authenticator attribute. The RADIUS packet will be dropped once the limitproxystate configuration is enabled.
Event log |
System |
Event type |
Warning |
Event source |
NPS |
Event ID |
4419 |
Event text |
An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. The request is currently allowed since the limitProxyState is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more. |
This is an Audit event for RADIUS response packets received without the Message-Authenticator attribute at the proxy. Consider changing the specified RADIUS server for the Message-Authenticator attribute. The RADIUS packet will be dropped once the requiremsgauth configuration is enabled.
Event log |
System |
Event type |
Warning |
Event source |
NPS |
Event ID |
4420 |
Event text |
The RADIUS Proxy received a response from server <ip/name> with a missing Message-Authenticator attribute. Response is currently allowed since the requireMsgAuth is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more. |
This event is logged during service start when the recommended settings are not configured. Consider enabling the settings if the RADIUS network is unsecure. For secure networks, these events can be ignored.
Event log |
System |
Event type |
Warning |
Event source |
NPS |
Event ID |
4421 |
Event text |
RequireMsgAuth and/or limitProxyState configuration is in <Disable/Audit> mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more. |
Configurations
This configuration enables the NPS Proxy to start sending the Message-Authenticator attribute in all Access-Request packets. To enable this configuration, use one of the following methods.
Method 1: Use the NPS Microsoft Management Console (MMC)
To use the NPS MMC, follow these steps:
-
Open the NPS user interface (UI) on the server.
-
Open the remote Radius Server Groups.
-
Select Radius Server.
-
Go to Authentication/Accounting.
-
Click to select the The request must contain the Message-Authenticator attribute checkbox.
Method 2: Use the netsh command
To use netsh, run the following command:
netsh nps set remoteserver remoteservergroup = <server group name> address = <server address> requireauthattrib = yes
For more information, see Remote RADIUS Server Group Commands.
This configuration requires the Message-Authenticator attribute in all Access-Request packets and drops the packet if absent.
Method 1: Use the NPS Microsoft Management Console (MMC)
To use the NPS MMC, follow these steps:
-
Open the NPS user interface (UI) on the server.
-
Open Radius Clients.
-
Select Radius Client.
-
Go to Advance Settings.
-
Click to select the Access-Request messages must contain the message-authenticator attribute checkbox.
For more information, see Configure RADIUS Clients.
Method 2: Use netsh command
To use netsh, run the following command:
netsh nps set client name = <client name> requireauthattrib = yes
For more information, see Remote RADIUS Server Group Commands.
This configuration enables the NPS server to drop potential vulnerable Access-Request packets that contain a Proxy-State attribute, but do not include a Message-Authenticator attribute. This configuration supports three modes:
-
Audit
-
Enable
-
Disable
In Audit mode, a warning event (Event ID: 4419) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the requests.
Use the netsh command to configure, enable, and add an exception as needed.
-
To configure clients in Audit mode, run the following command:
netsh nps set limitproxystate all = "audit"
-
To configure clients in Enable mode, run the following command:
netsh nps set limitproxystate all = "enable"
-
To add an exception to exclude a client from limitProxystate validation, run the following command:
netsh nps set limitproxystate name = <client name> exception = "Yes"
This configuration enables NPS Proxy to drop potentially vulnerable response messages without the Message-Authenticator attribute. This configuration supports three modes:
-
Audit
-
Enable
-
Disable
In Audit mode, a warning event (Event ID: 4420) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the responses.
Use the netsh command to configure, enable, and add an exception as needed.
-
To configure servers in Audit mode, run the following command:
netsh nps set requiremsgauth all = "audit"
-
To enable configurations for all servers, run the following command:
netsh nps set requiremsgauth all = "enable"
-
To add an exception to exclude a server from requireauthmsg validation, run the following command:
netsh nps set requiremsgauth remoteservergroup = <remote server group name> address = <server address> exception = "yes"
Frequently asked questions
Check NPS module events for related events. Consider adding exceptions or configuration adjustments for affected clients/servers.
No, the configurations discussed in this article are recommended for unsecured networks.
References
Description of the standard terminology that is used to describe Microsoft software updates
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.
We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.