Cybersecurity experts have identified a significant vulnerability within the RADIUS network authentication protocol, known as BlastRADIUS. This flaw could allow malicious actors to perform Mallory-in-the-middle (MitM) attacks, potentially bypassing essential integrity checks under specific conditions. The discovery raises alarms about the security of RADIUS, an acronym for Remote Authentication Dial-In User Service, which is widely employed for centralized authentication, authorization, and accounting (AAA) in network services.
Alan DeKok, CEO of InkBridge Networks and the architect behind the FreeRADIUS Project, emphasized that certain Access-Request messages processed by the RADIUS protocol lack integrity or authentication checks. This absence enables attackers to modify transmitted packets undetected. Consequently, a threat actor could manipulate the authentication process to grant unauthorized access to users, which could include assigning arbitrary authorizations such as VLAN settings.
The RADIUS protocol relies on hash functions derived from the MD5 algorithm, which has been deemed cryptographically broken since December 2008 due to vulnerability to collision attacks. This situation makes the Access-Request packets susceptible to what’s known as a chosen prefix attack, allowing attackers to forge response packets that appear legitimate.
To exploit this vulnerability, an attacker would need the capability to intercept and alter RADIUS packets while they are in transit between the client and server. This highlights the risk for organizations that transmit packets over the internet. According to DeKok, protocols such as PAP, CHAP, and MS-CHAPv2 exhibit the highest level of vulnerability, necessitating immediate upgrades of RADIUS servers and related networking equipment.
Although mitigation strategies exist, including the use of Transport Layer Security (TLS) for RADIUS traffic transmission and the Message-Authenticator attribute to enhance packet security, these measures must be implemented effectively to counter potential exploitations. ISPs and organizations utilizing this protocol must ensure they adopt the latest versions of RADIUS to protect against these risks.
The vulnerability, tracked as CVE-2024-3596, carries a CVSS score of 9.0, indicating its severity and the urgent attention required. The inherent danger lies particularly within networks that send RADIUS/UDP traffic over the internet, as much of this data transmission occurs in an unencrypted format. At present, there is no evidence to suggest that this vulnerability is being actively exploited in the wild.
The CERT Coordination Center (CERT/CC) corroborated these findings, clarifying that the vulnerability could enable an attacker to forge an authentication response unless a Message-Authenticator attribute is enforced. Furthermore, security experts from Cloudflare have highlighted the potential for an improved MD5 collision attack, which allows unauthorized access to devices utilizing RADIUS without needing to compromise passwords.
As businesses increasingly depend on secure network access, it is imperative for them to reconsider their RADIUS implementations. The tactics and techniques involved in this incident align with various forms of initial access and privilege escalation as detailed in the MITRE ATT&CK framework, underscoring the urgent need for heightened security measures and a thorough reevaluation of current network protocols.
