Cyber security researchers have discovered a security vulnerability in the RADIUS network authentication protocol no RADIUS Blast which can be used by an attacker to perform Mallory-in-the-middle (MitM) attacks and bypass integrity checks under certain circumstances.
“The RADIUS protocol allows some Access-Request messages to fail integrity or authentication checks,” said InkBridge Networks CEO Alan Decock, who created The FreeRADIUS projectthe statement said.
“As a result, an attacker can modify these packets without detection. An attacker will be able to force any user to authenticate and give them any authorization (VLAN, etc.).”
RADIUS, short for Remote Authentication Dial-In User Service, is a client/server protocol which provides centralized authentication, authorization, and account management (AAA) for users connecting to and using a network service.
RADIUS security is there relying on the hash which is obtained with the help of MD5 algorithmwhich was counted cryptographically broken as of December 2008 due to risk collision attacks.
This means that Access-Request packets can be subjected to a so-called chosen-prefix attack, which allows the response packet to be altered in such a way that it passes all integrity checks of the original response.
However, for the attack to be successful, the adversary must be able to modify the RADIUS packets transmitted between the RADIUS client and the server. It also means that organizations that send packages over the Internet are at risk of shortages.
Other mitigating factors that prevent the attack from being powerful include the use of TLS to carry RADIUS traffic over the Internet and the increased security of packets through The message authenticator attribute.
BlastRADIUS is the result of a fundamental design flaw and is said to affect all standards-compliant RADIUS clients and servers, making it imperative that Internet Service Providers (ISPs) and organizations using the protocol update to the latest version.
“In particular, PAP, CHAP, and MS-CHAPv2 authentication methods are the most vulnerable,” Decock said. “ISPs will have to upgrade RADIUS servers and network hardware.”
“Anyone using MAC address or RADIUS authentication to log in administrators on the switch is vulnerable. Using TLS or IPSec prevents the attack, and 802.1X (EAP) is not vulnerable.”
For enterprises, an attacker must already have access to control the virtual local area network (VLAN). Moreover, ISPs may be susceptible if they send RADIUS traffic over intermediate networks such as third-party outsourced networks or the wider Internet.
It should be noted that the vulnerability, which has a CVSS score of 9.0, particularly affects networks that send RADIUS/UDP traffic over the Internet, given that “most RADIUS traffic is sent ‘in the open.'” There is no evidence that it is being used in wild nature.
“This attack is the result of the security of the RADIUS protocol being neglected for a very long time,” DeKock said.
“While standards have long offered safeguards that would prevent an attack, these safeguards have not been mandatory. In addition, many vendors have not even implemented the proposed protections.”
