A newly discovered flaw in the RADIUS networking protocol has the industry recognizing that a standard set in 1997 is now in need of an upgrade — even while researchers warn that well-funded state-sponsored attackers can exploit the flaw to bypass multi-factor authentication (MFA) and gain network access.
In a July 9 blog post, researchers at InkBridge Networks explained that RADIUS was designed in the 1990s to control network access via authentication, authorization and accounting. The discovery of the flaw — called BlastRADIUS — has been cause for concern because the RADIUS protocol supports essentially every switch, router, access point and VPN concentrator product sold in the past 25 years.
InkBridge researchers warned that all of those devices are likely vulnerable to attack and enterprise networks, internet service providers and telcoms are among the most vulnerable to attack.
BlastRADIUS was discovered by researchers at Boston University, Cloudflare, BastionZero, Microsoft Research, Centrum Wiskunde and Informatica and the University of California, San Diego.
The issue behind the flaw, which is being tracked as CVE-2024 3596 and VU#456537, is that Access-Request packets have no authentication or integrity checks. The researchers said an attacker can perform a chosen prefix attack, which lets an attacker modify the Access-Request to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability lets the attacker modify the response packet — almost at will.
“While some networking equipment vendors have released updates or patches to address the vulnerability, many haven’t,” said Ashley Leonard, chief executive officer at Syxsense. “Unfortunately, what we’re seeing with RADIUS is that it simply wasn’t designed with security in mind, given that it’s decades old now. This may be a sign that new, securer protocols need to be developed, but that takes time and resources, along with buy-in from hundreds of vendors. It won’t happen quickly, if it happens at all.”
For organizations using networking equipment that relies on the RADIUS protocol, Leonard said there are other mitigations security teams can take beyond a patch, for example:
- Enable Message-Authenticator: Many RADIUS implementations support this attribute (RFC 2869), which adds a cryptographic signature to RADIUS packets, thus making it much more difficult for an attacker to tamper with the authentication and authorization process.
- Deploy protocol updates: Switch to using transport-layer security (TLS) for traffic and extensible authentication protocol (EAP) for authentication.
Callie Guenther, senior manager of threat research at Critical Start, said vendors in the short-term can release patches to address specific vulnerabilities within the RADIUS protocol, adding integrity checks and authentication measures to Access-Request packets to mitigate the risk of manipulation. Additionally, Guenther said incorporating stronger encryption and MFA can make it more difficult for attackers to exploit the protocol.
“For long-term solutions, there’s a case for developing new protocols designed with modern security requirements in mind,” said Guenther, who authors a column for SC Media. “These protocols should integrate advanced cryptographic techniques and be resilient against current and emerging threats. Alternatively, enhancing existing protocols by incorporating more robust security features, such as transitioning to protocols like EAP-TLS, can provide more secure authentication mechanisms.”
Guenther added that industrywide measures are also crucial. For example, encouraging the phasing out of end-of-life devices that teams cannot update to meet current security standards can reduce the attack surface by eliminating vulnerable legacy systems from networks. Guenther also said having teams implement regular security audits and updates ensures that all network devices adhere to the latest security standards.
