BlastRADIUS bug puts most network devices at risk

BlastRADIUS bug puts most network devices at risk

A newly discovered flaw in the RADIUS network protocol has the industry realizing that a standard established in 1997 now needs updating. Researchers warn that well-funded state-backed attackers could exploit the flaw to bypass multi-factor authentication (MFA) and gain access to the network.

In a July 9 blog post , researchers at InkBridge Networks explained that RADIUS was designed in the 1990s to control network access through authentication, authorization, and accounting. The discovery of the flaw, called BlastRADIUS, is alarming because the RADIUS protocol supports every switch, router, access point, and VPN concentrator product sold in the last 25 years.

InkBridge researchers warned that all of these devices are vulnerable to attacks, with corporate networks, internet service providers, and telecoms being among the most vulnerable to attacks.

It was BlastRADIUS discovered by researchers at Boston University, Cloudflare, BastionZero, Microsoft Research, Centrum Wiskunde and Informatica, and the University of California, San Diego.

The problem behind the flaw is traced as follows: CVE-2024 3596 And VU#456537The problem is that Access-Request packets do not have any authentication or integrity checks. The researchers said that an attacker could perform a chosen-prefix attack, which would allow the attacker to modify the Access-Request to replace a valid response with the attacker’s chosen response. Even if the response is validated and integrity checked, the chosen-prefix vulnerability allows the attacker to modify the response packet almost at will.

“While some networking vendors have released updates or patches to address this vulnerability, most have not,” said Ashley Leonard, CEO of Syxsense. “Unfortunately, what we’re seeing with RADIUS is that, despite being decades old, it simply wasn’t designed with security in mind. This could be a sign that new, more secure protocols need to be developed, but that will take time and resources, as well as support from hundreds of vendors. If it happens, it won’t happen right away.”

Leonard said that for organizations using network equipment that relies on the RADIUS protocol, there are other measures security teams can take beyond a patch, such as:

  • Enable Message Authenticator: Many RADIUS implementations support this attribute (RFC 2869), which adds a cryptographic signature to RADIUS packets, making it much more difficult for an attacker to tamper with the authentication and authorization process.
  • Deploy protocol updates: Switch to using transport layer security (TLS) for traffic and extensible authentication protocol (EAP) for authentication.

Callie Guenther, senior director of threat research at Critical Start, said vendors could release patches in the short term to address specific vulnerabilities in the RADIUS protocol, adding integrity checks and authentication measures to Access-Request packets to reduce the risk of manipulation. Guenther also said that stronger encryption and the inclusion of MFA could make it harder for attackers to exploit the protocol.

“For long-term solutions, there is a case to develop new protocols designed with modern security requirements in mind,” Guenther wrote in an op-ed for SC Media. “These protocols should integrate advanced cryptographic techniques and be resilient to current and emerging threats. Alternatively, enhancing existing protocols by adding more robust security features, such as migrating to protocols like EAP-TLS, can provide more secure authentication mechanisms.”

Guenther added that industry-wide measures are also vital. For example, encouraging the phasing out of end-of-life devices that teams cannot update to meet current security standards can reduce the attack surface by removing vulnerable legacy systems from networks. Guenther also said that teams implementing regular security audits and updates ensures that all network devices are up to date with the latest security standards.