A flaw with the common client-server networking protocol, RADIUS, has received a ton of recent press and coverage from cybersecurity experts. Discovered by researchers from universities and tech industry peers, this flaw earned a Common Vulnerability Score System (CVSS) score of 9, landing it in critical vulnerability territory (CVE-2024-3596 and VU#456537). Given the RADIUS protocol supports most routers, switches, and VPN access points deployed since the late 1990s, it blows the door wide open for attackers to bypass user authentication by way of a man-in-the-middle (MITM) attack between the RADIUS client and server. Attackers could then gain access to any device, network, or internet service that relies on the RADIUS protocol.
How does the vulnerability work?
Per the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), the RADIUS protocol “under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.”
In this scenario, attackers can escalate privileges to network devices and services without resorting to brute-force attacks like credential stuffing. A Blast-RADIUS site was created by the university researchers and Big Tech organizations that discovered the flaw and includes extensive information on the vulnerability and mitigation methods, plus some valuable questions and answers.
To lightly summarize, the threat model requires an attacker to have gained network access, then acts as a “man-in-the-middle” between the RADIUS client and RADIUS server resulting in the ability to read, intercept, modify, or stop inbound and outbound packets. If proxies are being used, the attack could occur between any hop.
Who is impacted?
Any organization with a RADIUS implementation that’s not using an Extensible Authentication Protocol (EAP) over user datagram protocol (UDP) is vulnerable and should upgrade their RADIUS servers straight away. EAP is the authentication framework frequently used in network connections (see the RFC 3748 - Extensible Authentication Protocol summary from IETF Datatracker). According to researchers, Blast-RADIUS does not seem to impact RADIUS servers that are only doing EAP authentication (though it’s still advisable to upgrade everything).
What should you do?
Here steps you can take now and moving forward to protect your network:
- As noted on the Blast-RADIUS site, first and foremost you should upgrade RADIUS servers right away followed by clients wherever possible. Be sure to enable cryptographic signatures for the RADIUS packets via “message-authenticator” attribute for every request and response (i.e., Access-Accept, Access-Reject, or Access-Challenge).
- Longer term, having RADIUS inside an encrypted and authenticated channel is the current recommendation from cybersecurity experts.
- Given that many attackers rely on malware hiding in encrypted traffic to breach a network, it's also critical to have insight into your SSL/TLS traffic overall. If you’re familiar with F5 BIG-IP SSL Orchestrator, this solution is instrumental in rooting out malicious traffic hiding behind encryption to prevent attackers from either breaching or moving laterally throughout your environment.
Need a little refresher on RADIUS?
The RADIUS networking protocol is an industry-recognized standard for controlling access to networks through authentication, authorization, and accounting (AAA). RADIUS protocols support nearly every switch, router, access control point, or VPN hub deployed since its development back in the 1990s.
It’s fair to say RADIUS wasn’t designed with today’s cybersecurity threat tactics in mind given the exponential changes in the threat landscape since its debut. But we know vulnerabilities are inevitable. The best response is a swift one: Always patch and upgrade the moment you’re able. Adopting a layered security approach is also critical for minimizing impact should an attacker be successful. Whether it's Blast-RADIUS or the next vulnerability that will make the headlines, having protections at each key point within your network is instrumental in stopping lateral movement by an attacker, containing their efforts, and minimizing any damage.
About the Author
Related Blog Posts
The everywhere attack surface: EDR in the network is no longer optional
All endpoints can become an attacker’s entry point. That’s why your network needs true endpoint detection and response (EDR), delivered by F5 and CrowdStrike.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.