A weakness in the RADIUS network authentication protocol known as BlastRADIUS has been unearthed by cybersecurity experts. This flaw could be taken advantage of by a malicious actor to carry out Middleperson-in-the-middle (MitM) attacks and evade security checks in specific scenarios.
According to Alan DeKok, CEO of InkBridge Networks and the brain behind the FreeRADIUS Project, “Certain Access-Request messages in the RADIUS protocol are allowed to bypass integrity and authentication mechanisms, enabling an attacker to tamper with these packets undetected. This would enable the attacker to coerce any user into authenticating and assign various authorizations (such as VLAN access) to that user.”
RADIUS, which stands for Remote Authentication Dial-In User Service, is a client/server protocol that serves as a centralized platform for authentication, authorization, and accounting management for users accessing network services.
The security of RADIUS relies on a hash derived from the MD5 algorithm, which has been considered vulnerable to cryptographic attacks since December 2008 due to the risk of collision attacks.
This loophole allows for a chosen prefix attack on Access-Request packets, enabling the modification of response packets to pass validation checks for the original response.
However, to execute this attack successfully, the adversary must be capable of altering RADIUS packets while in transit between the client and server. This also means that organizations transmitting packets over the internet are exposed to this vulnerability.
Additional measures that can thwart the potency of the attack include employing TLS for transmitting RADIUS traffic over the internet and bolstering packet security with the Message-Authenticator attribute.
BlastRADIUS arises from a foundational design flaw and is known to impact all compliant RADIUS clients and servers, necessitating that internet service providers (ISPs) and organizations utilizing the protocol upgrade to the latest version.
DeKok highlighted, “Authentication methods such as PAP, CHAP, and MS-CHAPv2 are most at risk. ISPs need to enhance their RADIUS servers and network equipment.”
He added, “Individuals using MAC address authentication or RADIUS for administrator logins to switches are vulnerable. Employing TLS or IPSec can shield against the attack, while 802.1X (EAP) remains unaffected.”
For enterprises, the attacker must already have access to the management virtual local area network (VLAN) to carry out the attack. Furthermore, ISPs are vulnerable if they route RADIUS traffic through intermediary networks like third-party providers or the broader internet.
It is crucial to note that while this vulnerability has a CVSS score of 9.0, it particularly impacts networks transmitting RADIUS/UDP traffic over the internet due to the prevalence of unencrypted RADIUS traffic. There is no evidence of active exploitation of this flaw.
“This attack underscores the long-standing neglect of RADIUS protocol security,” DeKok commented.
“Although protective measures have been suggested in the standards to prevent such attacks, these safeguards were not made mandatory. Also, many vendors failed to implement the recommended protections.”
About Author
