BLOG

Blast-RADIUS Vulnerability Requires Action Now

Erin Verna Thumbnail
Erin Verna
Published July 31, 2024

A flaw with the common client-server networking protocol, RADIUS, has received a ton of recent press and coverage from cybersecurity experts. Discovered by researchers from universities and tech industry peers, this flaw earned a Common Vulnerability Score System (CVSS) score of 9, landing it in critical vulnerability territory (CVE-2024-3596 and VU#456537). Given the RADIUS protocol supports most routers, switches, and VPN access points deployed since the late 1990s, it blows the door wide open for attackers to bypass user authentication by way of a man-in-the-middle (MITM) attack between the RADIUS client and server. Attackers could then gain access to any device, network, or internet service that relies on the RADIUS protocol.

How does the vulnerability work?

Per the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), the RADIUS protocol “under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.” 

In this scenario, attackers can escalate privileges to network devices and services without resorting to brute-force attacks like credential stuffing. A Blast-RADIUS site was created by the university researchers and Big Tech organizations that discovered the flaw and includes extensive information on the vulnerability and mitigation methods, plus some valuable questions and answers.

To lightly summarize, the threat model requires an attacker to have gained network access, then acts as a “man-in-the-middle” between the RADIUS client and RADIUS server resulting in the ability to read, intercept, modify, or stop inbound and outbound packets. If proxies are being used, the attack could occur between any hop.

Who is impacted?

Any organization with a RADIUS implementation that’s not using an Extensible Authentication Protocol (EAP) over user datagram protocol (UDP) is vulnerable and should upgrade their RADIUS servers straight away. EAP is the authentication framework frequently used in network connections (see the RFC 3748 - Extensible Authentication Protocol summary from IETF Datatracker). According to researchers, Blast-RADIUS does not seem to impact RADIUS servers that are only doing EAP authentication (though it’s still advisable to upgrade everything).

What should you do?

Here steps you can take now and moving forward to protect your network:

  1. As noted on the Blast-RADIUS site, first and foremost you should upgrade RADIUS servers right away followed by clients wherever possible. Be sure to enable cryptographic signatures for the RADIUS packets via “message-authenticator” attribute for every request and response (i.e., Access-Accept, Access-Reject, or Access-Challenge).
  2. Longer term, having RADIUS inside an encrypted and authenticated channel is the current recommendation from cybersecurity experts.
  3. Given that many attackers rely on malware hiding in encrypted traffic to breach a network, it's also critical to have insight into your SSL/TLS traffic overall. If you’re familiar with F5 BIG-IP SSL Orchestrator, this solution is instrumental in rooting out malicious traffic hiding behind encryption to prevent attackers from either breaching or moving laterally throughout your environment.

Need a little refresher on RADIUS?

The RADIUS networking protocol is an industry-recognized standard for controlling access to networks through authentication, authorization, and accounting (AAA). RADIUS protocols support nearly every switch, router, access control point, or VPN hub deployed since its development back in the 1990s.

It’s fair to say RADIUS wasn’t designed with today’s cybersecurity threat tactics in mind given the exponential changes in the threat landscape since its debut. But we know vulnerabilities are inevitable. The best response is a swift one: Always patch and upgrade the moment you’re able. Adopting a layered security approach is also critical for minimizing impact should an attacker be successful. Whether it's Blast-RADIUS or the next vulnerability that will make the headlines, having protections at each key point within your network is instrumental in stopping lateral movement by an attacker, containing their efforts, and minimizing any damage.