Computer Emergency Response Teams (CERT) and cybersecurity researchers alike are sounding the alarm about a new critical vulnerability found in the Remote Authentication Dial-In User Service (RADIUS) protocol.
The flaw, designated CVE-2024-3596 and dubbed ‘BlastRADIUS’, could leave any organization using the protocol susceptible to adversary-in-the-middle attacks. The flaw is a result of the RADIUS protocol not requiring certain Access-Request messages to have integrity or authentication checks.
Without this requirement, a threat actor in a position to intercept traffic that contains these requests can modify them without detection. This could potentially allow the threat actor to gain unauthorized administrative access to devices using RADIUS for authentication, without needing to brute force or steal passwords or shared secrets.
RADIUS instances that rely on PAP, CHAP, MS-CHAPv2, MAC address, or other non-EAP authentication methods are particularly vulnerable to CVE-2024-3596 and should be updated as soon as possible. RADIUS systems using 802.1x, IPSec, TLS, Eduroam and OpenRoaming are not vulnerable at this time.
Currently, there is no evidence that BlastRADIUS is being exploited in the wild.
Source: The Hacker News
Analysis
RADIUS is a protocol originally designed to provide centralized authentication, authorization, and accounting (AAA) management services during the dial-up internet age. Its security was based on the MD5 algorithm, which has been obsolete since 2008 when it was deemed cryptographically broken. Any software can become a potential attack vector if it is not kept up to date, and RADIUS is no exception.
Although there is no indication that threat actors have exploited BlastRADIUS in the wild, it’s likely only a matter of time before they do, since most RADIUS/UDP traffic sent over the open internet is done so unencrypted. This saves threat actors the step of having to decrypt the traffic before they modify it, accelerating the attack chain.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for vulnerabilities such as BlastRADIUS. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities.
Field Effect MDR users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages users of the RADIUS instances that rely on PAP, CHAP, MS-CHAPv2, MAC address, or other non-EAP authentication methods to update them as soon as possible.
Related Articles