Cybersecurity researchers have found a security flaw in the RADIUS network authentication protocol known as BlastRADIUS that enables attackers to perform Mallory-in-the-middle (MitM) attacks and bypass integrity checks in certain situations.
“The RADIUS protocol allows specific Access-Request messages to lack integrity or authentication checks,” stated InkBridge Networks CEO Alan DeKok, the creator of the FreeRADIUS Project.
RADIUS, or Remote Authentication Dial-In User Service, is a client/server protocol that offers centralized authentication, authorization, and accounting management for network users. However, the security of RADIUS relies on an MD5-derived hash, which has been considered cryptographically broken since 2008.
Despite the vulnerability having a CVSS score of 9.0, it primarily affects networks sending RADIUS/UDP traffic over the internet. There is currently no evidence of this vulnerability being exploited in the wild.
To mitigate the risk of the attack, it is recommended that organizations use TLS to transmit RADIUS traffic and enhance packet security with the Message-Authenticator attribute.
BlastRADIUS presents a fundamental design flaw and impacts all standards-compliant RADIUS clients and servers, necessitating ISPs and organizations using the protocol to update to the latest version.
“Specifically, PAP, CHAP, and MS-CHAPv2 authentication methods are the most vulnerable,” DeKok added. “ISPs will have to upgrade their RADIUS servers and networking equipment.”
“Anyone using MAC address authentication or RADIUS for administrator logins to switches is vulnerable. Using TLS or IPSec can prevent the attack, and 802.1X (EAP) is not susceptible.”
For enterprises, the attacker must already have access to the management VLAN. Additionally, ISPs are at risk if they transmit RADIUS traffic over intermediate networks or the wider internet.
“This attack highlights the neglect of RADIUS protocol security for a long time,” DeKok remarked. “While standards have recommended protections to prevent this attack, many vendors did not implement them.”
