Overview
A critical security flaw, CVE-2024-3596, was recently discovered in the RADIUS (Remote Authentication Dial-In User Service) authentication protocol. This vulnerability, dubbed Blast-RADIUS, poses a serious threat to organizations relying on RADIUS for network authentication and access control. Researchers have demonstrated how attackers could exploit the vulnerability to bypass authentication mechanisms, highlighting the risks in environments using non-EAP (Extensible Authentication Protocol) methods over UDP.
Vulnerability Details
- CVE ID: CVE-2024-3596
- Description: The Blast-RADIUS attack allows an adversary to perform a Man-in-the-Middle (MITM) attack on RADIUS authentication. By leveraging the weak MD5 hashing algorithm used for RADIUS requests, attackers can manipulate authentication responses to grant unauthorized access.
- Affected Versions: The vulnerability affects any implementation of RADIUS that uses non-EAP methods over UDP, which includes many older systems that rely on the outdated RFC 2865 specification.
Analysis
The core issue arises from the MD5 hashing method used for encrypting RADIUS requests. Attackers can exploit this by injecting malicious attributes into a request, causing authentication collisions that trick the server into accepting falsified responses. While this flaw has existed in RADIUS for some time, Blast-RADIUS is a more refined attack that showcases how dangerous this vulnerability can be.
Exploiting this attack requires an attacker to intercept the communication between the RADIUS client and server, positioning themselves as a MITM. Although such attacks typically need 3-6 minutes to execute, this can be reduced with more powerful hardware, such as GPUs. This attack vector becomes particularly problematic if RADIUS traffic is not sufficiently secured or isolated within a network.
Past Exploitation
While the Blast-RADIUS attack is relatively new, the RADIUS protocol has long been known to have inherent weaknesses due to its reliance on outdated cryptographic methods. This vulnerability could potentially be exploited in high-value targets like corporate networks that rely on RADIUS for 802.1X authentication. However, because the attack is somewhat complex and time-sensitive, real-world exploitation might be less frequent but still dangerous for poorly secured environments.
Take Action
To mitigate the risks associated with CVE-2024-3596, organizations should:
- Transition to more secure authentication methods: Where possible, move to EAP methods over TLS, such as RADIUS over TLS (RADSEC), which offer stronger encryption.
- Isolate RADIUS traffic: Ensure that RADIUS traffic is securely isolated from potential attackers by using network segmentation and encryption.
- Apply security patches: If running a Microsoft environment, use the guidelines provided by Microsoft to configure Network Policy Server (NPS) to defend against this vulnerability.
- Monitor network traffic: Enable event logs related to RADIUS authentication and closely monitor for any unusual activity, particularly involving RADIUS Access-Accept or Access-Reject responses.
The importance of addressing this flaw is paramount for organizations that heavily rely on the RADIUS protocol for secure network access. Though the attack is challenging to execute, it exposes significant weaknesses in many legacy systems still in use today.
Sources: