Cybersecurity experts have uncovered a security flaw within the RADIUS network authentication protocol, dubbed BlastRADIUS, which could allow attackers to execute Man-in-the-Middle (MitM) attacks and bypass integrity verifications under specific conditions.
“The RADIUS protocol permits certain Access-Request messages to proceed without integrity or authentication validations,” stated Alan DeKok, CEO of InkBridge Networks and creator of the FreeRADIUS Project.
“As a consequence, an attacker could modify these packets without detection, compelling any user to authenticate and granting arbitrary authorizations (such as VLAN access).”
RADIUS, which stands for Remote Authentication Dial-In User Service, functions as a client/server protocol enabling centralized management of authentication, authorization, and accounting (AAA) for users accessing network services.
The security of RADIUS relies on a hash generated using the MD5 algorithm, which was deemed cryptographically compromised in December 2008 due to vulnerabilities to collision attacks.
This vulnerability enables Access-Request packets to potentially undergo a chosen prefix attack, enabling modification of response packets to pass all original integrity checks.
Successful exploitation requires the attacker to intercept and alter RADIUS packets in transit between the client and server, particularly risky for organizations transmitting packets over the internet.
Additional mitigation measures include securing RADIUS traffic over the internet using TLS and enhancing packet security through the Message-Authenticator attribute.
BlastRADIUS stems from a fundamental design flaw and impacts all RADIUS clients and servers compliant with standards, necessitating immediate updates by ISPs and organizations employing the protocol.
“Specifically, authentication methods like PAP, CHAP, and MS-CHAPv2 are most vulnerable,” noted DeKok. “ISPs must upgrade their RADIUS servers and networking gear.”
“Vulnerabilities exist for users relying on MAC address authentication or RADIUS for switch administrator logins. Utilizing TLS or IPSec can prevent these attacks, and 802.1X (EAP) remains unaffected.”
Enterprises face risks if attackers gain access to management VLANs, while ISPs are vulnerable if RADIUS traffic transits through intermediate networks like third-party providers or the broader internet.
Notably, this vulnerability, rated with a CVSS score of 9.0, predominantly affects networks transmitting RADIUS/UDP traffic over the internet, given that most RADIUS traffic remains unencrypted.
“There is no current evidence of active exploitation, but this flaw underscores longstanding neglect in securing the RADIUS protocol,” DeKok emphasized.
“Although protective measures were recommended in standards for some time, these safeguards were not universally adopted, with many vendors failing to implement them.”