A new vulnerability has been found: the Blast RADIUS attack. This attack represents a danger to the Remote Authentication Dial-In User Service (RADIUS) protocol, an essential network authentication component. This vulnerability may allow adversaries to take control of enterprise networks, telecommunications services, industrial controls, and ISPs.
Blast RADIUS: A new attack exposes vulnerabilities in RADIUS protocol
RADIUS is now the industry standard for lightweight authentication. Initially developed for dial-in Internet access in the early 1990s, it is essential to almost every network device, including VPN concentrators, switches, routers, and access points.
There are several uses for RADIUS, such as:
- VPN Access
- DSL and Fiber to the Home connections offered by ISPs
- Wi-Fi and 802.1X authentication
- 2G and 3G cellular roaming
- 5G Data Network Name authentication
- Mobile data offloading
- Authentication over private APNs for connecting mobile devices to enterprise networks
- Authentication to critical infrastructure management devices
- Eduroam and Open Roaming Wi-Fi
RADIUS handles user verification and permissions by managing the exchange of data between clients, like switches and routers, and a main RADIUS server. But despite progress in encryption technology since it first received official endorsement as a standard by the Internet Engineering Task Force (IETF) in 1997 (updated in 2000), RADIUS has remained largely unchanged in its approach to security.
MD5’s Legacy and Vulnerabilities
Since its inception in 1994, RADIUS has utilized the MD5 hash function for verification purposes, which transforms various inputs into a predetermined length output. A cryptographic hash function is supposed to make it virtually impossible to generate identical outputs from two distinct inputs; what is known as collisions. However, already by the mid-1990s, the limitations of MD5’s architecture were becoming apparent.
These concerns were confirmed in 2004, when Xiaoyun Wang and Hongbo Yu officially showed that MD5 was susceptible to collisions. This concept was further developed in 2007 by Marc Stevens, Arjen Lenstra, and Benne de Weger, who introduced the idea of chosen-prefix collisions. These collisions permit hackers to generate identical hashes for two different inputs that start with specific, chosen prefixes, making it possible to craft highly personalized forgeries.
The vulnerability was exploited in 2008 when researchers used a chosen prefix attack to create a rogue certificate authority. The authority used Hashclash software to generate certificates trusted by major browsers. Despite the deprecation of MD5 following the Flame malware incident in 2012, which used similar attacks to hijack Microsoft’s Windows update mechanism, MD5 continued to be used in various systems, including RADIUS.
The Blast RADIUS Attack
Because RADIUS relies on MD5, an attacker in a man-in-the-middle scenario could use Blast RADIUS to obtain administrator access to devices that have been authenticated by RADIUS. A recent study titled “RADIUS/UDP Considered Harmful” described this attack in depth and pointed out that RADIUS has not received any meaningful security fixes since the flaws in MD5 were initially discovered.
Over ninety vendors issued security bulletins at the same time, many of which included patches and temporary fixes. The time needed to execute a chosen-prefix attack is significantly reduced by an optimized version of Hashclash. Previously, attacks required thousands of core days, but the optimized version reduces this to about thirty-nine core hours. Researchers could complete the attack in roughly five minutes by using a cluster of older CPUs and GPUs. Modern hardware or cloud computing resources could further reduce this duration, making the attack feasible within the typical RADIUS timeout durations of thirty to sixty seconds.
Execution of the Attack
To carry out a chosen-prefix collision attack on a RADIUS authentication system, the attacker follows these steps:
- First, the attacker initiates an authentication request with an arbitrary incorrect password.
- The attacker intercepts the RADIUS Access-Request, predicts the server’s response, and computes an MD5 collision between the predicted Access-Reject and a forged Access-Accept response.
- Then, the attacker manipulates the RADIUS packets and exploits the collision, tricking the RADIUS client into granting access.
This process allows the attacker to gain administrative rights without needing the shared secret, effectively bypassing RADIUS’s security.
Mitigation of the Blast-RADIUS attack
The issue can be mitigated by sending RADIUS over TLS or DTLS. These cryptographic protocols would help ensure data confidentiality and integrity. The IETF is working to modify the RADIUS specification to include these measures, but it is going to take some time. It is recommended that RADIUS clients and servers use message-authenticator attributes with HMAC-MD5 for packet authentication. However, it is possible that this solution will not be compatible with older implementations.
The only long-term solution is to adopt more secure protocols. Reaching out to experts is important for those who are unsure of their systems’ security or who need guidance on implementing these measures. We can provide detailed solutions and support to ensure that your network remains secure against evolving threats.