[German]A vulnerability (CVE-2024-3596) discovered by security researchers makes it possible to log into a network using the RADIUS network authentication protocol without further authentication. The vulnerability, called Blast-RADIUS, could jeopardize network security in companies because RADIUS network authentication can be circumvented.
Advertising
RADIUS authentication
RADIUS is a client-server protocol that is used for authentication, authorization and accounting of users for dial-up connections to a computer network (virtual network, VPN, Remote Access Services, RAS). RADIUS is used in a variety of applications, including in corporate networks to authenticate access to switches and other routing infrastructures, for VPN access, by ISPs for DSL and FTTH (Fiber to the Home), for 802. 1X and Wi-Fi authentication, for 2G and 3G mobile roaming and 5G DANN (Data Network Name) authentication, for mobile Wi-Fi offload with SIM card-based authentication, for private APN authentication, for authenticating access to critical infrastructures and in the Eduroam and OpenRoaming WLAN consortia.
The abbreviation RADIUS stands for Remote Authentication Dial-In User Service, and a RADIUS server takes over the authentication of clients in the network using a user name and password. It also provides parameters for the connection to the client. The RADIUS server takes the data used for this from its own configuration files, its own configuration databases or determines this by querying other databases or directory services in which the access data such as user name and password are stored.
The RADIUS protocol (Remote Authentication Dial-In User Service) is at the heart of today's network infrastructure. Although the protocol was developed back in 1991, it is still the standard authentication protocol for remote access by users and administrators to networked devices. According to this source, "RADIUS is supported by almost all switches, routers, access points and VPN concentrators sold in the last twenty years".
The Blast RADIUS vulnerability (CVE-2024-3596)
The term blast radius describes the radius of damage in a blast, here it refers to the damage to a network when the vulnerability is exploited. Blast-RADIUS is a vulnerability (CVE-2024-3596) in the RADIUS protocol that allows an attacker to forge any valid response (access-accept, access-reject or access-challenge) from the RADIUS server and convert it into a different response. The vulnerability was classified with a CVS score of 7.5.
Blast-RADIUS was discovered by security researchers from Cloudflare, Microsoft, UC San Diego, CWI Amsterdam and BastionZeroand is described here. To exploit the vulnerability, the attacker must perform a man-in-the-middle (MitM) attack between client and server with a chosen prefix collision against the MD5 Response Authenticator signature.
Advertising
By forging the responses from the RADIUS server in this way, the attacker can gain access to network devices and services without having to guess or force passwords or shared secrets. The attacker does not learn any user credentials. The vulnerability can only be exploited if no EAP authentication methods over UDP are used. It should also be noted that the security researchers have had to optimize and parallelize the MD5 collision to such an extent that the attack takes minutes rather than hours.
The attack is therefore currently more theoretical in nature, but could be exploited in the future. heise describes it quite well here: Despite optimization, the researchers needed around 3-6 minutes to break the MD5 hash, while standard RADIUS implementations allow 30 to 60 seconds for the authentication process.
What can/should you do?
End users themselves cannot do anything to protect themselves from this attack. The administrators of corporate networks in which the RADIUS network protocol is used are required to take action. The first thing to check is whether the RADIUS implementation supports EAP authentication methods via UDP. If this variant is configured, Blast-RADIUS will no longer work.
The discoverers recommend at blastradius.fail, that system administrators of networks using RADIUS should ask the component vendors for a patch against this vulnerability and follow the best practices for RADIUS configuration described in the Q&A section on the site.
Microsoft has released a security update for Windows versions in support (clients and servers) with a patch against Blast RADIUS on July 9, 2024. The relevant patches to close the RADIUS Protocol Spoofing vulnerability CVE-2024-3596 are described here.
Advertising
