RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks

Cybersecurity researchers have discovered a security vulnerability in the RADIUS network authentication protocol, named BlastRADIUS, that could be exploited to perform Man-in-the-Middle (MitM) attacks and bypass integrity checks under certain conditions.

“The RADIUS protocol allows certain Access-Request messages to bypass integrity or authentication checks,” said Alan DeKok, CEO of InkBridge Networks and creator of the FreeRADIUS Project. “As a result, an attacker can modify these packets without detection, potentially forcing any user to authenticate and assigning any authorization (VLAN, etc.) to that user.”

RADIUS, short for Remote Authentication Dial-In User Service, is a client/server protocol providing centralized authentication, authorization, and accounting (AAA) management for users connecting to a network service.

The security of RADIUS depends on a hash derived from the MD5 algorithm, which has been considered cryptographically broken since December 2008 due to the risk of collision attacks. This vulnerability allows Access-Request packets to be subjected to a chosen prefix attack, enabling the modification of response packets to pass all integrity checks for the original response.

For the attack to succeed, the adversary must modify RADIUS packets in transit between the client and server, putting organizations that send packets over the internet at risk.

Other mitigation factors reducing the attack’s potency include using TLS to transmit RADIUS traffic over the internet and increased packet security via the Message-Authenticator attribute.

BlastRADIUS is a fundamental design flaw affecting all standards-compliant RADIUS clients and servers, making it critical for internet service providers (ISPs) and organizations using the protocol to update to the latest version.

“Specifically, PAP, CHAP, and MS-CHAPv2 authentication methods are the most vulnerable,” DeKok said. “ISPs must upgrade their RADIUS servers and networking equipment. Anyone using MAC address authentication or RADIUS for administrator logins to switches is vulnerable. Using TLS or IPSec prevents the attack, and 802.1X (EAP) is not vulnerable.”

For enterprises, the attacker would need access to the management virtual local area network (VLAN). ISPs can be vulnerable if they send RADIUS traffic over intermediate networks, such as third-party outsourcers or the wider internet.

The vulnerability, tracked as CVE-2024-3596 and with a CVSS score of 9.0, particularly affects networks sending RADIUS/UDP traffic over the internet, as “most RADIUS traffic is sent ‘in the clear.'” There is no evidence it is being exploited in the wild.

“This attack results from the security of the RADIUS protocol being neglected for a very long time,” DeKok said. “While standards have long suggested protections that would have prevented the attack, those protections were not made mandatory, and many vendors did not implement the suggested protections.”

The CERT Coordination Center (CERT/CC), in a supplementary advisory, described the vulnerability as enabling a threat actor with network access to where RADIUS Access-Request is transported to conduct forgery attacks.

“A vulnerability in the RADIUS protocol allows an attacker to forge an authentication response where a Message-Authenticator attribute is not required or enforced,” CERT/CC stated. “This vulnerability results from a cryptographically insecure integrity check when validating authentication responses from a RADIUS server.”

Web infrastructure and security company Cloudflare has provided additional technical details of CVE-2024-3596, stating that RADIUS/UDP is vulnerable to an improved MD5 collision attack.

“The attack allows a Monster-in-the-Middle (MitM) with access to RADIUS traffic to gain unauthorized administrative access to devices using RADIUS for authentication without needing to brute force or steal passwords or shared secrets,” it noted.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

error: Content is protected !!

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report

Unlock Exclusive Insights: Access the article

Download CIO VISION 2024 Report

Share your details to download the report

Share your details to download the CISO Handbook 2024