A security flaw in the RADIUS network authentication protocol, known as BlastRADIUS, has been unearthed by cybersecurity researchers. This flaw could be utilized by a malicious party to carry out Man-in-the-Middle (MitM) attacks and circumvent integrity verification in certain scenarios.
“Certain Access-Request messages in the RADIUS protocol are allowed without any integrity or authentication checks,” mentioned InkBridge Networks CEO Alan DeKok, the brain behind the FreeRADIUS Project, in a statement.
“Consequently, an attacker can alter these packets without raising any alarms. This could empower the attacker to coerce any user to authenticate and grant any form of authorization (such as VLAN access) to that user.”
RADIUS, which stands for Remote Authentication Dial-In User Service, is a client/server protocol that facilitates centralized authentication, authorization, and accounting (AAA) management for users connecting to and utilizing network services.
The security of RADIUS relies on a hash generated using the MD5 algorithm, which has been declared insecure since December 2008 due to the susceptibility of collision attacks.
This implies that Access-Request packets can be targeted by a chosen prefix attack, enabling adjustment of the response packet in a way that it clears all integrity checks meant for the original response.
Nonetheless, for the attack to be effective, the attacker must possess the capability to manipulate RADIUS packets during transit between the RADIUS client and server. This also implies that organizations transmitting packets via the internet are vulnerable to this flaw.
Additional measures to thwart the potential impact of the attack involving the use of TLS for transmitting RADIUS traffic over the internet and enhanced packet security through the Message-Authenticator attribute.
BlastRADIUS stems from a foundational design flaw and is said to impact all standards-compliant RADIUS clients and servers, necessitating that internet service providers (ISPs) and organizations utilizing the protocol update to the latest version.
“In particular, the PAP, CHAP, and MS-CHAPv2 authentication techniques are highly susceptible,” as per DeKok. “ISPs need to update their RADIUS servers and networking devices.”
“Individuals leveraging MAC address authentication or RADIUS for switch administrator logins are at risk. The attack can be mitigated with TLS or IPSec, and 802.1X (EAP) remains unaffected.”
For enterprises, the attacker must already have access to the management virtual local area network (VLAN) for the attack to be successful. Moreover, ISPs can be at risk if they route RADIUS traffic through intermediate networks, like third-party service providers or the broader internet.
It should be highlighted that the vulnerability, with a CVSS score of 9.0, predominantly affects networks transmitting RADIUS/UDP traffic over the internet since “most RADIUS traffic is sent ‘in the clear.'” There is currently no evidence of active exploits.
“This attack underscores the long-standing neglect of security in the RADIUS protocol,” DeKok pointed out.
“Although protective measures were suggested in the standards long ago to prevent such an attack, these measures were not enforced. Additionally, many vendors did not even implement the recommended safeguards.”
About Author
