IDM OTP stops working after CVE-2024-3596 patching to RADIUS Server

Solution Verified - Updated -

Issue

  • One-time password (OTP) feature is enabled on IdM via external RADIUS servers.
  • After patching to the external server to enforce CVE-2024-3596, OTP stops working.

  • ipa-otpd debug log shows that IdM server did not receive a response from the external RADIUS server, the RADIUS request timed out after 15 seconds.

    Feb 12 00:21:09 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: request received
Feb 12 00:21:09 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: user query start
Feb 12 00:21:09 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: user query end: uid=bob,cn=users,cn=accounts,dc=idm,dc=example,dc=com
Feb 12 00:21:09 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: radius query start: cn=externalradius,cn=radiusproxy,dc=idm,dc=example,dc=com
Feb 12 00:21:09 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: radius query end: external-radius.example.com
Feb 12 00:21:09 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: forward start: bob / external-radius.example.com
Feb 12 00:21:24 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: forward end: Connection timed out
Feb 12 00:21:24 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: sent: 0 data: 20
Feb 12 00:21:24 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: ..sent: 20 data: 20
Feb 12 00:21:24 <...> ipa-otpd[842]: bob@IDM.EXAMPLE.COM: response sent: Access-Reject.

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Identity Management (IdM)
  • Third-Party RADIUS Server (patched for CVE-2024-3596)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content