A critical security flaw discovered in the RADIUS protocol, nicknamed BlastRADIUS (CVE-2024-3596), makes a wide range of networking equipment susceptible to MitM attacks. Although complex to exploit, a successful attack could have serious consequences.

To mitigate BlastRADIUS, network devices like switches, routers, firewalls, VPN concentrators, access points, and DSL gateways need updates that add integrity and authentication checks. Network administrators must apply these updates and adjust configurations accordingly.

This vulnerability significantly threatens network access security for organizations using RADIUS, including businesses, universities, cloud providers, and ISPs. If exploited, attackers could gain unauthorized access to networks, impersonate legitimate users, and grant improper permissions.

How BlastRADIUS Works

BlastRADIUS allows attackers to manipulate specific RADIUS packets. The RADIUS protocol permits certain access request messages to bypass security checks. This enables attackers to modify these messages without being detected. By doing so, they could force any user to authenticate and grant them any access privileges.

Affected Systems

The RADIUS protocol is fundamental to most network access control systems globally. Due to BlastRADIUS, nearly all these systems are vulnerable. Network administrators must prioritize installing firmware upgrades on all devices involved in network security, user authentication, and access control. Internet service providers, enterprises, and many cloud identity providers are likely impacted.

Protecting Against BlastRADIUS

Some authentication methods in RADIUS are more at risk than others. Specifically, PAP, CHAP, and MS-CHAPv2 are the most vulnerable. Organizations, especially ISPs, should update RADIUS servers and network equipment. Additionally, anyone using MAC address authentication or RADIUS for switch administrator logins should prioritize updates.

Fortunately, there are ways to mitigate BlastRADIUS attacks. Using TLS or IPSec encryption helps protect against the vulnerability. Additionally, 802.1X (EAP) is not susceptible to BlastRADIUS attacks.

Risk Levels for Different Systems

• High Risk: PAP, CHAP, MS-CHAPv2, other non-EAP authentication methods
• Low Risk: 802.1X (EAP), IPSec, TLS, Eduroam, OpenRoaming

The team that discovered BlastRADIUS, including those who maintain FreeRADIUS and participate in IETF standards development, have provided guidance for vendors to update their equipment and secure against this attack. Future RADIUS standards will incorporate these recommendations to address BlastRADIUS and other security concerns.