RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks


Summary:
A critical vulnerability (CVE-2024-3596) has been identified in the RADIUS protocol, a widely used network authentication system. Dubbed "BlastRADIUS," the flaw allows attackers to potentially bypass security checks and gain unauthorized access to a network. The security of RADIUS is reliant on a hash that's derived using the MD5 algorithm, which has been deemed cryptographically broken as of December 2008 owing to the risk of collision attacks. Access-Request packets can be subjected to what's called a chosen prefix attack that makes it possible to modify the response packet such that it passes all of the integrity checks for the original response. Unauthorized access could be achieved through a Man-in-the-Middle (MitM) attack, where an attacker intercepts communication between a user and a RADIUS server. The vulnerability stems from the way that RADIUS handles specific message types, lacking integrity and authentication checks in certain instances. This enables attackers to manipulate data packets and potentially grant unauthorized access or privileges.

Security Officer Comments:
The BlastRADIUS vulnerability exposes a long-standing weakness in the RADIUS protocol. While security protocols were proposed to mitigate such attacks, they were not mandatory, leaving many deployments susceptible. Organizations that rely on RADIUS for network access should prioritize patching their RADIUS servers and networking equipment to address this critical flaw. It is crucial to note that while the vulnerability is severe, there are no known active exploits in the wild. However, due to the widespread use of RADIUS and the potential consequences, patching is highly recommended to minimize the risk of future attacks.

Risk factors and mitigation strategies:

  • High-risk configurations: Networks transmitting RADIUS traffic unencrypted (RADIUS/UDP) over the internet or internal untrusted networks are most at risk.
  • Vulnerable authentication methods: Traditional password-based authentication methods (PAP, CHAP, MS-CHAPv2) are most susceptible.

Suggested Corrections:

  • Prioritize Patching:
    • Ensure all RADIUS servers and network equipment are updated to the latest versions that address the BlastRADIUS vulnerability. This is the most critical step, as patching eliminates the underlying flaw.
  • Implement Encryption Protocols:
    • Utilize Transport Layer Security (TLS) or IPsec to encrypt RADIUS traffic. Encryption safeguards data packets from modification during transmission, rendering MitM attacks ineffective.
  • Leverage Secure Authentication Methods:
    • Employ strong authentication methods like 802.1X (EAP) instead of weaker protocols like PAP, CHAP, and MS-CHAPv2. 802.1X offers robust encryption and is not vulnerable to BlastRADIUS.
  • Segment Networks:
    • Implement network segmentation to isolate the RADIUS server and network management VLAN. This limits the attacker's potential access points even if they breach the network perimeter.

Link(s):
https://thehackernews.com/2024/07/radius-protocol-vulnerability-exposes.html