Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

BlastRADIUS Attack Exposes Critical Flaw in 30-Year-Old RADIUS Protocol

Security vendor InkBridge Networks calls urgent attention to the discovery of a decades-old design flaw (CVE-2024-3596) in the popular RADIUS protocol.

BlastRADIUS

Security vendor InkBridge Networks on Tuesday called urgent attention to the discovery of a thirty-year-old design flaw in the RADIUS protocol and warned that advanced attackers can launch exploits to authenticate anyone to a local network, bypassing any multi-factor-authentication (MFA) protections.

The company published a technical description of what is being called the BlastRADIUS attack and warned that corporate networks such as internal enterprise networks, Internet Service Providers (ISPs), and Telecommunications companies (telcos) are exposed to major risk.

The flaw was discovered by researchers at Boston University, Cloudflare, BastionZero, Microsoft Research, Centrum Wiskunde & Informatica and the University of California, San Diego.

The vulnerability is being tracked as CVE-2024-3596 and VU#456537.

“The root cause of the attack is that in the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks.  An attacker can modify these packets in a way which allows them to control who gets onto the network,” the research team explained.

The RADIUS protocol, first standardized in the late 1990s, is used to control network access via authentication, authorization, and accounting and is still used widely today in switches, routers, access points and VPN products.

“All of those devices are likely vulnerable to this attack,” the researchers warned.

“The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will,” according to the InkBridge Networks documentation.

Advertisement. Scroll to continue reading.

The company described the issue as “a fundamental design flaw of the RADIUS protocol” and noted that all standards compliant RADIUS clients and servers are likely vulnerable to this attack, even if they correctly implement all aspects of the RADIUS protocol.

“Since all security of the RADIUS protocol for UDP and TCP transports is based on the shared secret, this attack is perhaps the most serious attack possible on the RADIUS protocol,” the company declared.

At the absolute minimum, InkBridge Networks recommends that every single RADIUS server world-wide must be upgraded to address this vulnerability. “It is not sufficient to upgrade only RADIUS clients, as doing so will allow the network to remain vulnerable.”

The company said a private proof-of-concept exploit has been created by its researchers but there is no indication that this vulnerability is being actively exploited in the wild. 

Even if someone managed to recreate the exploit, the researchers note that a  successful attack will be costly.  “It can take a significant amount of cloud computing power to succeed in performing the attack.  This cost is also per packet being exploited, and cannot be automatically applied to many packets.  If an attacker wants to perform 100 attacks, he has to use 100 times of computing power.”

However, the company notes that these costs are “drop in the bucket for nation-states” looking to target specific users. 

Related: Cisco Products Vulnerable to POODLE Attacks

Related: Credentials Leaked Due to Microsoft Exchange Protocol Flaw

Related: Cisco Discovery Protocol Flaws Expose Millions of Devices to Attacks 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights