Radius Message-authenticatior with HMAC-MD5

[nkarakasuk]

hi ,
CVE-2024-3596, known as the "Blast-RADIUS" vulnerability, affects RADIUS servers that use the MD5-based Response Authenticator (as defined in RFC 2865). This flaw allows a local attacker to modify RADIUS responses (such as Access-Accept or Access-Reject) using a chosen-prefix collision attack on the MD5 authenticator. This attack can lead to unauthorized access or privilege escalation by altering authentication responses. It is especially relevant for systems using CHAP or PAP authentication methods.

The core issue stems from MD5's vulnerability to prefix collisions, which enables attackers to craft forged RADIUS responses during a Man-in-the-Middle (MitM) attack, thereby bypassing authentication.

I tried to mitigate it by below but I failed.

Enable Message-Authenticator: One of the main mitigations is enabling the Message-Authenticator attribute, which uses HMAC-MD5. This provides stronger integrity checks than the than the standard MD5 Response Authenticator. By incorporating the Message-Authenticator, you can ensure that any RADIUS response is validated for integrity, making it significantly more difficult for attackers to forge messages without detection. This added security measure helps protect against the exploitation of the vulnerability, thereby securing your authentication process.

Could you please anybody help me to develop for HMAC-MD5 ?