RADIUS Protocol Issue Undermines Network Authentication Safety
A team of security researchers has discovered a significant vulnerability in the widely used RADIUS (Remote Authentication Dial-In User Service) protocol. This vulnerability could potentially allow attackers to gain unauthorized access to network devices. Cloudflare staff detailed the findings in a blog post, highlighting the ongoing challenges of maintaining security in long-standing network protocols.
RADIUS, first designed in 1991, remains a vital authentication protocol for remote access to routers, switches, and other networking equipment. Despite advancements in cryptography, RADIUS has continued to rely on outdated security measures, particularly when used over UDP (User Datagram Protocol).
The newly discovered vulnerability, dubbed “Blast-RADIUS,” exploits weaknesses in the MD5 cryptographic hash function, which has been known to be vulnerable since 2004. The attack allows a malicious actor positioned between a RADIUS client and server to manipulate authentication responses, potentially granting unauthorized administrative access to network devices.
Researchers from the University of California San Diego, CWI Amsterdam, Microsoft, and BastionZero collaborated on developing the attack. In response, CERT has assigned CVE-2024-3596 and VU#456537 to the vulnerability.
The attack focuses on the RADIUS Response Authenticator, a custom message authentication code utilizing MD5. By exploiting enhanced MD5 collision techniques, attackers are capable of creating legitimate-looking RADIUS responses, transforming Access-Reject messages into Access-Accept messages without needing to know the shared secret between the client and server.
To carry out the attack, researchers had to overcome various obstacles:
The team showcased a proof-of-concept attack executable in under five minutes using a cluster of older CPU cores and basic GPUs. Although this duration surpasses standard RADIUS timeout settings, the researchers highlight that a well-equipped attacker could fine-tune the attack to function against default timeout parameters.
This vulnerability impacts all RADIUS/UDP authentication modes, except for those using the Extensible Authentication Protocol (EAP). RADIUS traffic transmitted over TLS (sometimes referred to as RADSEC) is not susceptible to this specific attack.
In light of these findings, the researchers recommend several mitigations:
The researchers emphasise that switching to RADIUS/TCP offers no security benefits, as it remains vulnerable to the same attack.
The researchers note that updating widely deployed network protocols like RADIUS can be challenging, especially given its use in legacy devices that may be difficult to upgrade. The hope is that this research will prompt network operators to review their RADIUS deployments and take advantage of patches released by vendors in response to this work. As cryptographic attacks continue to improve, constructions once considered “secure enough” may become vulnerable to practical exploits.
Writing on Reddit, user RandomMagnet notes that:
“This isn’t really new right? I mean it’s a MITM leveraging MD5’s weakness…”
User Skylis goes on to contextualize the vulnerability:
“If someone can MITM the auth packets from your network gear, you have bigger problems.”
While the immediate focus is on mitigating this specific vulnerability, the broader implication is the need for continued vigilance and proactive updating of security protocols across the networking industry. As attacks become more sophisticated, the gap between theoretical vulnerabilities and practical exploits continues to narrow. The researchers’ work shows the value of collaborative efforts between academia and industry in identifying and addressing critical security issues in widely deployed technologies.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.