A critical new security vulnerability has been discovered in the popular network authentication protocol RADIUS, which is used by networks around the world to help users connect to their services (i.e. everything from broadband ISPs to VPNs, mobile carriers and more) and potentially leave them . exposed to Man-in-the-Middle (MitM) style attacks.
A vulnerability that has been named Blast radius from InkBridge Networks (FreeRadius), seems difficult to exploit. However, its impact can still be significant if network operators and network administrators who use RADIUS do not patch their software and equipment to protect against the new threat.
NOTE: RADIUS may not be as visible to end users as protocols like HTTP (Web), but it is a core protocol that almost everyone uses at some level to access the Internet.
This vulnerability is said to stem from a thirty-year-old design flaw in the RADIUS protocol (ie, some Access-Request packets are not authenticated and lack integrity checks) and the abuse of this “allows an attacker to authenticate anyone on your local network”, which is obviously not good. Suffice to say, it has been assigned a Common Vulnerability Score (CVSS) of 9 out of 10, which is extremely high.
However, for such an attack to be successful, the attacker must be able to modify the RADIUS packets between the RADIUS client and the server. But even if they did, such attacks would still be expensive and likely to “you need a significant amount of cloud computing power to succeed” (catch – those with more resources may still find it viable, for example if the goal is to steal credit card data for financial gain, etc.).
FreeRadius statement
The attack is difficult because it is a man-in-the-middle attack, which means that the attacker must be able to see and modify the Access-Request packets. If an attacker can do this, then your network is already compromised.
Even better, the attack requires significant CPU resources, i.e. $1000 of CPU power per attacked packet, and the attack is not even guaranteed. There is also no public exploit available to run “script kiddies”. It is extremely unlikely that anyone other than nation states would have the ability to launch an attack at this point.
However, if you use PAP / CHAP / MS-CHAP and RADIUS/UDP over the Internet, then your users are likely to be at risk for decades. There is little we can say about it.
To fully protect your systems from attack, you must update all RADIUS servers and all RADIUS clients. The attack relies on a design flaw in the protocol. The fix requires all RADIUS implementations to be updated to the new behavior. In many cases, you don’t need to panic and upgrade everything immediately. See below for more details.
Even given the limited nature of the attack, everyone should plan to install all firmware updates for every NAS device (including switches, routers, firewalls, VPN concentrators, etc.) that uses RADIUS. In the short term, it’s important to upgrade your RADIUS servers, determine if your network is still vulnerable, and then take steps to remediate those vulnerabilities.
Currently, there is only a proof-of-concept exploit for this that has been developed by researchers, and the exploit itself is not yet publicly available. Credits to Thinkbroadband for watching.
NOTE: Systems NOT considered vulnerable include 802.1x, IPSec, TLS, Eduroam, and OpenRoaming. However, those considered vulnerable include PAP, CHAP, MS-CHAPv2, and other non-EAP authentication methods.