‘Blast-RADIUS’ Critical Bug Blows Up IT Vacation Plans
Ancient, widely used protocol has CVSS 9.0 vulnerability.
RADIUS, the protocol nobody thinks much about, has a critical bug. This 1990s authentication/authorization standard has the potential to cause widespread pain and anguish, thanks to how it’s deeply embedded into countless bits of networking gear.
IT/DevOps staff can look forward to some canceled vacay. In today’s SB Blogwatch, we wonder what else is lurking to bite us.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Model (ska).
MD5 MITM Muddle
What’s the craic? Andrew Ferguson reports: New Blast-RADIUS Protocol Vulnerability
“CVSS score of 9”
Researchers … discovered a vulnerability in the RADIUS protocol, which is widely used for network authentication … on many corporate networks, VPNs, [enterprise] Wi-Fi and on broadband networks. … There is a trend to name protocol vulnerabilities these days and the researchers have coined the term Blast-RADIUS.
…
The vulnerability centres around a ‘man-in-the-middle’ attack, which means that only someone able to intercept traffic could make use of the attack—which does mitigate the issue somewhat. However it still carries a CVSS score of 9, … which means it’s considered a “critical” vulnerability.
More detail please. Sergiu Gatlan helps us out: Attack bypasses widely-used RADIUS authentication
“Forged MD5 hash”
Blast-RADIUS exploits a new protocol vulnerability (CVE-2024-3596) and an MD5 collision attack, allowing attackers with access to RADIUS traffic to manipulate server responses and add arbitrary protocol attributes. [It] lets them gain admin privileges on RADIUS devices without requiring brute force or stealing credentials.
…
The RADIUS protocol uses MD5 hashed requests and responses when performing authentication. … The researchers’ proof-of-concept exploit (which has yet to be shared) computes an MD5 chosen-prefix hash collision needed to forge a valid … response to denote a successful authentication request. This forged MD5 hash is then injected into the network communication, … allowing the attacker to log in.
Horse’s mouth? The researchers are Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens and Adam Suhl: RADIUS/UDP considered harmful
“IETF has begun work”
MD5 should have been abolished 20 years ago. … Nearly all RADIUS/UDP implementations are vulnerable to our protocol attack when using non-EAP authentication methods.
…
While an MD5 hash collision was first demonstrated in 2004, it was not thought to be possible to exploit this. … Our attack identifies a protocol vulnerability in the way RADIUS uses MD5 that allows the attacker to [produce] a hash collision.
…
Our recommended short-term mitigation … is to mandate that clients and servers always send and require Message-Authenticator attributes. … For Access-Accept or Access-Reject responses, [it] should be … the first attribute. Patches implementing this mitigation have been implemented by all RADIUS implementations that we are aware of. This guidance is being put into an upcoming RADIUS RFC. The long-term mitigation is to use [a] channel that offers modern cryptographic security guarantees. The IETF has begun work to standardize RADIUS over (D)TLS.
But is this really a big deal? sedregj’s answer is clear:
Your internet connection is almost certainly authenticated via RADIUS. Extrapolate worldwide and think about it.
Not only in ISPs. zeeky boogy doog paints a horrifying picture:
This sounds more like a huge enabler of horizontal movement that will be exploited to the hilt by APTs: Social engineer or compromise your way into one bastion host (because outside of the most hardened air-gapped installations, there will be a bastion host that has access to the trusted network which you can remotely attack), and then Blast-RADIUS allows low-level infestation of the routers and switching infrastructure. And … everything else using RADIUS—like, say, an entire datacenter full of … servers.
…
And if your switching infrastructure is corrupted, good luck evicting Fancy Bear.
Wait. Pause. 30-year-old protocol? Deprecated hash function? Why are we still using this garbage everywhere? barrattm wonders aloud:
Tricky thing, to get rid of widely implemented old cruft. With no one being “in charge,” no one can force all the implementers to change it all at once. Do it unilaterally and you simply end up with a non-interoperable product.
…
Seems the only way things [are] fixed is when they get seriously broken—like this. Which makes me wonder: How many other security sensitive protocols are there that are both widely implemented and slightly aged?
But a man-in-the-middle vulnerability? Sounds pretty theoretical. codebase7 ain’t buying it:
This attack requires a MITM between the RADIUS client [and] server (i.e., you need access to the victim’s network and be in a privileged enough position to intercept traffic). … If your attacker is in such a position to have MITM ability, … you have far bigger problems.
Not all MITMs require physical access, though. Jim Salter explains:
As one example: … If an attacker is physically close enough to an enterprise Wi-Fi network to intercept packets, the attacker can capture packets until they get a RADIUS authentication packet, then forge credentials to log in. … RADIUS logins identify you as a specific user to that network.
…
The consequences get even worse when looking at, e.g., a power company’s control infrastructure, which will generally heavily rely on RADIUS auth for controls. About the only mitigating factor is that at this point, most people running industrial control networks … are well aware that they’re absolute Swiss cheese, and have done as much as they can to isolate them.
Quite the list of researchers who put there name to this. nadiah curates some deep linkage:
Some work they are known for:
- Sharon Goldberg: Attacking the Network Time Protocol
- Miro Haller: MEGA: Malleable Encryption Goes Awry
- Nadia Heninger: Mining your Ps and Qs
- Dan Shumow: On the Possibility of a Back Door in the NIST SP800-90 Dual EC PRNG
- Marc Stevens: MD5 considered harmful today
- Adam Suhl: On the Possibility of a Backdoor in the Micali-Schnorr Generator
Meanwhile, Shadowen09 isn’t looking forward to the next few days at work:
Well, my week just got a lot longer.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.