Cybersecurity researchers have uncovered a critical security flaw in the RADIUS network authentication protocol, termed BlastRADIUS, which can be exploited to conduct Man-in-the-Middle (MitM) attacks and bypass integrity checks under specific conditions.
“The RADIUS protocol allows certain Access-Request messages to lack integrity or authentication checks,” stated Alan DeKok, CEO of InkBridge Networks and creator of the FreeRADIUS Project. “This means an attacker can alter these packets undetected, forcing user authentication and granting unauthorized access.”
Understanding RADIUS
RADIUS, or Remote Authentication Dial-In User Service, is a client/server protocol that centralizes authentication, authorization, and accounting (AAA) for network users. Its security relies on a hash derived from the MD5 algorithm, which has been deemed cryptographically broken since December 2008 due to collision attack vulnerabilities.
Technical Details of the Vulnerability
The BlastRADIUS vulnerability leverages a chosen prefix attack on Access-Request packets, allowing modification of the response packet to pass integrity checks. Successful exploitation requires the ability to alter RADIUS packets in transit, posing significant risks to organizations transmitting packets over the internet.
While using TLS for RADIUS traffic and employing the Message-Authenticator attribute enhances packet security, the inherent design flaw in RADIUS affects all standards-compliant clients and servers. This necessitates urgent updates from internet service providers (ISPs) and organizations using the protocol.
Vulnerable Authentication Methods
Particularly vulnerable are PAP, CHAP, and MS-CHAPv2 authentication methods. DeKok emphasized the need for ISPs to upgrade their RADIUS servers and networking equipment to mitigate this risk. Anyone using MAC address authentication or RADIUS for administrative logins is also vulnerable unless they utilize TLS or IPSec, as 802.1X (EAP) is not affected.
Impact on Enterprises and ISPs
For enterprises, attackers would need access to the management virtual local area network (VLAN). ISPs are at risk if they send RADIUS traffic over intermediate networks or the wider internet. The vulnerability, scoring a high CVSS score of 9.0, mainly threatens networks transmitting RADIUS/UDP traffic in the clear.
Recommendations for Mitigation
Immediate action is essential for system administrators to determine their exposure and upgrade their systems accordingly:
- RADIUS Traffic Accounting Only: If your RADIUS traffic is purely accounting, the attack doesn’t affect you immediately, but upgrades are still necessary.
- Access-Request Packets via RADIUS/TLS (RadSec): The attack doesn’t affect you immediately, but upgrades are still necessary.
- EAP Authentication Only: The attack doesn’t affect you immediately, but upgrades are still necessary.
- Local Requests Only: Upgrade your RADIUS servers to be protected, though the NAS equipment also needs updating.
For everyone else, upgrading RADIUS servers is urgent to prevent a broad class of attacks. Further protection requires complex configuration changes. Vendor documentation can guide upgrading multiple systems, but comprehensive resources like BlastRADIUS product guides and test software are invaluable.
Proof of Concept and Exploitation
Researchers have developed a proof of concept, though it is not publicly available. No evidence indicates active exploitation in the wild. Even if recreated, the attack demands significant cloud computing power per packet, making large-scale attacks cost-prohibitive except for high-resourced attackers like nation-states.
Conclusion
If your network isn’t using RADIUS, it may be more vulnerable than networks employing RADIUS. The root cause of the vulnerability lies in certain Access-Request packets lacking authentication and integrity checks, allowing attackers to manipulate network access.
Safe Practices
All EAP (802.1X) authentication, Accounting-Request, CoA-Request, Disconnect-Request packets, and RADIUS over TLS (RadSec) are secure against this vulnerability.
System administrators must swiftly upgrade and secure their networks against this critical flaw to protect against potential exploits and ensure robust network security.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
