A new critical security vulnerability has been discovered in the popular RADIUS network authentication protocol, which is used by networks across the world to help users connect with their services (i.e. everything from broadband ISPs to VPNs, mobile operators and more) and thus could leave them exposed to Man-in-the-Middle (MitM) style attacks.
The vulnerability, which has been dubbed BlastRADIUS by InkBridge Networks (FreeRadius), appears difficult to exploit. But its impact could still be significant if network operators and network administrators who use RADIUS don’t patch their software and devices to protect against the new threat.
NOTE: RADIUS might not be as visible as protocols like HTTP (web) to end-users, but it is a foundational protocol that almost everyone uses at some level to access the internet.
The vulnerability is said to stem from a thirty-year-old design flaw in the RADIUS protocol (i.e. some Access-Request packets are not authenticated and lack integrity checks) and exploiting this “allows an attacker to authenticate anyone to your local network“, which is obviously not good. Suffice to say that it’s been given a Common Vulnerability Score (CVSS) of 9 out of 10, which is extremely high.
However, in order for such an attack to succeed, the attacker has to be able to modify RADIUS packets between the RADIUS client and server. But, even if they did that, such attacks would still be costly and likely to “take a significant amount of cloud computing power to succeed” (catch – those with more resources may still consider it viable to do, such as if the target is to steal credit card data for financial gain etc.).
Statement by FreeRadius
The attack is hard, because it is a “man in the middle” attack, which means that the attacker has to be able to both see, and modify Access-Request packets. If the attacker can do that, then your network is already compromised.
Even better, the attack requires substantial CPU resources to do i.e. $1000 of CPU power per packet being attacked, and the attack isn’t even guaranteed. There is also no public exploit available for “script kiddies” to run. It is extremely unlikely that anyone other than nation-states have the capability to perform the attack at this time.
However, if you are running PAP / CHAP / MS-CHAP and RADIUS/UDP over the Internet, then your users have likely been compromised for decades. There is little more we can say about that.
In order to fully protect your systems from the attack, you must update all RADIUS servers, and all RADIUS clients. The attack relies on a design flaw in the protocol. Fixing it requires updating all RADIUS implementations to the new behavior. In many cases, you do not need to panic and upgrade everything immediately. See below for more details.
Even considering the limited nature of the attack, everyone should plan on installing all firmware updates for each NAS device (including switches, routers, firewalls, VPN concentrators, etc.) which uses RADIUS. The important thing in the short term is to upgrade the RADIUS servers, determine if your network is still vulnerable, and then take action to address those vulnerabilities.
At present there is only a proof-of-concept exploit for this that has been developed by the researchers and the exploit itself is not yet publicly available. Credits to Thinkbroadband for spotting.
NOTE: Systems that are NOT deemed vulnerable to this include 802.1x, IPSec, TLS, Eduroam and OpenRoaming. But those deemed vulnerable include PAP, CHAP, MS-CHAPv2 and other non-EAP authentication methods.