BlastRADIUS Vulnerability (CVE-2024-3596): Flaw in RADIUS Protocol Exposes Networks to Attack
A newly identified vulnerability (CVE-2024-3596), dubbed “BlastRADIUS,” has been uncovered in the RADIUS protocol, posing a critical risk to network security. Researchers from the University of California, San Diego, have published a practical exploit for this flaw, marking the first time an attack has been successfully demonstrated against the RADIUS protocol. The FreeRADIUS Server Project has promptly responded with guidance and updates to mitigate this significant threat.
While attacks on the MD5 cryptographic algorithm have been known for some time, this is the first instance where such an attack has been practically demonstrated against the RADIUS protocol. This revelation was made by a team of researchers led by Nadia Heninger, highlighting a significant security concern for organizations relying on RADIUS for network authentication.
“The attack is due to a fundamental design flaw of the RADIUS protocol. It is not a flaw in any particular implementation or product. All standards compliant RADIUS clients and servers are likely vulnerable to this attack, even if they correctly implement all aspects of the RADIUS protocol,” read the security announcements.
The exploit, classified as a Man-in-the-Middle (MITM) attack, requires the attacker to intercept and modify Access-Request packets. Although the exploit’s success hinges on the attacker’s ability to observe and alter these packets, it underscores the necessity for heightened security measures within affected networks.
The FreeRADIUS Server Project has collaborated closely with Nadia Heninger’s team to characterize and address this vulnerability. Their findings and recommended mitigations are detailed in an engineering white paper available on the At Network RADIUS corporate site. The white paper outlines the engineering efforts required to secure both RADIUS implementations and network infrastructures, emphasizing the importance of adhering to these recommendations to prevent potential exploitation.
While the BlastRADIUS vulnerability (CVE-2024-3596) necessitates a man-in-the-middle (MITM) position, implying that a network may already be compromised if exploited, immediate action is still crucial.
FreeRADIUS users can safeguard their systems by implementing specific configuration changes. Notably, the require_message_authenticator = true flag must be set in all client definitions. This flag has been available and documented since version 3 but was not enabled by default. Enabling this flag ensures that systems using FreeRADIUS are not vulnerable to the BlastRADIUS attack.
Additionally, the FreeRADIUS team has introduced two new configuration options in the radiusd.conf file to mitigate the attack while maintaining network functionality:
These options can be applied globally or to individual client definitions, providing flexible and comprehensive protection against the exploit.
For NAS clients (non-proxy devices), updating client definitions to include limit_proxy_state = yes is crucial. For proxy clients (other RADIUS servers), ensuring that the require_message_authenticator attribute is present in all Access-Request packets is essential. This measure, in conjunction with upgrading other RADIUS servers, is vital to prevent the attack.
