Researchers have identified a critical vulnerability in the community authentication protocol, which could potentially allow attackers to launch Mallory-in-the-middle (MitM) attacks and circumvent integrity checks under specific conditions.
“The RADIUS protocol allows some Entry-Request messages to lack integrity and authentication checks,” said Alan DeKok, CEO of InkBridge Networks, who is also the creator of the protocol, according to a press release.
Since this lack of authentication allows attackers to manipulate packets without being detected, The attacker would possess the capability to coerce anyone into authenticating and subsequently provide any necessary authorisation, including VLAN access, to that individual.
RADIUS, a brief for Distant Authentication Dial-In User Service, provides centralized authentication, authorization, and accounting (AAA) management for users accessing a community network.
The security of RADIUS relies on the encryption protocol used, which was considered insecure as of December 2008 due to the vulnerability of.
The Entry-Request packets may be vulnerable to a targeted prefix attack, which enables an attacker to manipulate the response packet, making it successfully pass all integrity checks intended for the specific response.
In order for an attack to be successful, the attacker must possess the capability to manipulate RADIUS packets during transmission between the RADIUS client and server. This further underscores the implication that organizations transmitting packets over the internet are susceptible to this vulnerability.
Implementing Transport Layer Security (TLS) for secure RADIUS transmissions over the internet, combined with enhanced packet protection via, significantly diminishes the potency of potential attacks.
The Blast Radius vulnerability poses a fundamental design flaw affecting all standards-compliant RADIUS clients and servers, emphasizing the imperative for internet service providers (ISPs) and organizations utilizing the protocol to swiftly migrate to the most recent iteration.
“Notably, PAP, CHAP, and MS-CHAPv2 authentication protocols are among the most vulnerable,” he noted. “Internet Service Providers must enhance their Remote Authentication Dial-In User Service (RADIUS) servers and networking infrastructure to ensure seamless connectivity and optimal performance for customers.”
Utilizing MAC-based handle authentication or RADIUS for administrator logins to switches makes them susceptible. Using TLS or IPSec effectively thwarts the attack, and 802.1X with EAP is inherently immune.
To compromise an enterprise’s network, attackers would typically first need to gain access to the organization’s administrative virtual local area network (VLAN), thereby requiring existing privileges. If ISPs transmit RADIUS traffic through intermediate networks, such as third-party outsourcers or the wider internet, they may be exposed to potential vulnerabilities.
It’s particularly noteworthy that the vulnerability, boasting a CVSS rating of 9.0, has significant implications for networks transmitting RADIUS/UDP traffic over the internet when “most RADIUS traffic is transmitted in the clear.”
“The security vulnerability in the RADIUS protocol has been ignored for far too long,” DeKok said.
While the regulations had included safeguards that could have potentially averted the attack, these measures were ultimately deemed unnecessary. Additionally, numerous distributors failed to install the recommended safeguards.
