Critical vulnerability in the RADIUS protocol leaves networking equipment open to attack
A new critical security vulnerability in the RADIUS protocol, dubbed BlastRADIUS (CVE-2024-3596), leaves most networking equipment open to Man-in-the-Middle (MitM) attacks. While the vulnerability can be difficult to exploit, the possible impact of an exploit is substantial.
What’s at stake?
To protect businesses from BlastRADIUS, “every network switch, router, firewall, VPN concentrator, access point, and DSL gateway worldwide needs to be updated to add integrity and authentication checks for these packets,” explains Alan DeKok, CEO of InkBridge Networks and one of the foremost experts on RADIUS servers. Network administrators will need to download the update and modify their configuration settings.
This issue must be addressed to secure network access for businesses, universities, cloud providers, and Internet providers using RADIUS. The vulnerability is a MitM attack that can be leveraged to gain additional access. If exploited, unauthorized users could gain access to the network, falsely authenticate users, and grant authorizations.
DeKok says BlastRADIUS allows an attacker to exploit certain RADIUS packets. “The RADIUS protocol allows certain Access-Request messages to have no integrity or authentication checks. As a result, an attacker can modify these packets without detection. The attacker could force any user to authenticate and give any authorization (VLAN, etc.) to that user.”
“The RADIUS protocol is a foundational element of most network access systems worldwide. As of July 9, nearly all of these systems are no longer secure. The discovery of the BlastRADIUS issue means that network technicians must install firmware upgrades on every device involved in network security, identity, and authentication. We believe that Internet service providers, enterprises, and most cloud identity providers are likely to be affected by this issue,” said DeKok.
Who is at risk?
“Specifically, PAP, CHAP, and MS-CHAPv2 authentication methods are the most vulnerable,” DeKok explains. “ISPs will have to upgrade their RADIUS servers and networking equipment. Anyone using MAC address authentication, or RADIUS for administrator logins to switches is vulnerable. Using TLS or IPSec prevents the attack, and 802.1X (EAP) is not vulnerable.”
For most enterprises, the attacker would already need access to the management VLAN. ISPs can be vulnerable if they send RADIUS traffic over intermediate networks, such as third-party outsourcers or the wider Internet. Some uses of RADIUS are safe, including eduroam and the Wireless Broadband Alliance’s OpenRoaming framework.
What’s vulnerable to BlastRADIUS?
- PAP
- CHAP
- MS-CHAPv2
- Other non-EAP authentication methods
Systems deemed not vulnerable
- 802.1x
- IPSec
- TLS
- Eduroam
- OpenRoaming
DeKok and his team also maintain the open-source FreeRADIUS project and participate in the IETF standards development. He wrote the initial paper which defined how vendors should update their equipment to protect from this attack. He is also writing the RADIUS standards which will include those recommendations. The updated standards will address this new vulnerability along with other RADIUS security issues.
How to protect yourself from the BlastRADIUS vulnerability
For networking equipment, install any firmware update that is available from your network equipment vendor. Also, follow the vendor documentation to configure the updated firmware, otherwise, you may still be vulnerable.
FreeRADIUS updates for the BlastRADIUS vulnerability are available for download here.
For more detailed information visit the researcher’s site here.