Introduction
Cybersecurity researchers have recently identified a significant vulnerability in the RADIUS network authentication protocol. Dubbed BlastRADIUS, this flaw can be exploited to execute Mallory-in-the-middle (MitM) attacks and bypass integrity checks under certain conditions.
Vulnerability Details
Integrity and Authentication Loopholes
The Remote Authentication Dial-In User Service (RADIUS) protocol, widely used for centralized authentication, authorization, and accounting (AAA) management, has been found to permit certain Access-Request messages to bypass integrity and authentication checks. According to Alan DeKok, CEO of InkBridge Networks and creator of the FreeRADIUS Project, this loophole allows an attacker to alter these packets undetected, potentially forcing any user to authenticate and assign any authorization (such as VLAN access) to that user.
MD5 Hash Weakness
RADIUS relies on a hash derived from the MD5 algorithm, which has been considered cryptographically compromised since December 2008 due to collision attack risks. This vulnerability enables what's known as a chosen prefix attack, where the response packet can be modified to pass all integrity checks for the original response. However, for this attack to be successful, the attacker must have the capability to modify RADIUS packets in transit between the client and server. Organizations transmitting packets over the internet are particularly at risk.
Mitigation Strategies
TLS and Message-Authenticator
To counteract this vulnerability, using Transport Layer Security (TLS) to transmit RADIUS traffic over the internet can mitigate potential attacks. Additionally, the Message-Authenticator attribute enhances packet security, making it harder for attackers to exploit this flaw.
Urgent Updates Needed
The fundamental design flaw underlying BlastRADIUS impacts all standards-compliant RADIUS clients and servers. Therefore, it is crucial for internet service providers (ISPs) and organizations utilizing the protocol to update to the latest version. Vulnerable authentication methods include PAP, CHAP, and MS-CHAPv2. ISPs must upgrade their RADIUS servers and networking equipment to ensure security.
Specific Vulnerabilities
MAC Address Authentication and Administrator Logins
DeKok highlights that entities using MAC address authentication or RADIUS for administrator logins to switches are particularly vulnerable. However, utilizing TLS or IPSec can prevent attacks, and 802.1X (EAP) remains unaffected.
Enterprise and ISP Risks
For enterprises, an attacker would need access to the management virtual local area network (VLAN) to exploit the vulnerability. ISPs are at risk if they transmit RADIUS traffic over intermediate networks, such as third-party outsourcers or the wider internet.
CVE-2024-3596: A Critical Flaw
This vulnerability, tracked as CVE-2024-3596, has been assigned a CVSS score of 9.0. It predominantly affects networks sending RADIUS/UDP traffic over the internet since most RADIUS traffic is transmitted without encryption. Although there is no evidence of active exploitation in the wild, the vulnerability has drawn attention to longstanding security neglect within the RADIUS protocol.
CERT/CC Advisory
The CERT Coordination Center (CERT/CC) described the vulnerability as allowing threat actors with network access to forge authentication responses when the Message-Authenticator attribute is not required or enforced. This stems from a cryptographically insecure integrity check during the validation of authentication responses from a RADIUS server.
Cloudflare’s Insights
Cloudflare has provided further technical details on CVE-2024-3596, noting that RADIUS/UDP is susceptible to an enhanced MD5 collision attack. This allows a MitM attacker with access to RADIUS traffic to gain unauthorized administrative access to devices using RADIUS for authentication, without needing to brute force or steal passwords or shared secrets.
Conclusion
The discovery of the BlastRADIUS vulnerability underscores the critical need for heightened security measures within the RADIUS protocol. Organizations and ISPs must urgently update their RADIUS implementations and adopt robust security practices, such as using TLS and Message-Authenticator attributes, to protect against potential exploits. This vulnerability serves as a reminder of the importance of continuous security evaluations and the implementation of recommended protections to safeguard network authentication protocols.
0 Comments