Overview
Blast-RADIUS is a critical vulnerability affecting the RADIUS protocol, which is commonly used by businesses and organisations in enterprise networks and by Internet Service Providers (ISPs). RADIUS manages user access to internal resources, secure Wi-Fi networks, VPNs, and various internet services.
This vulnerability enables a man-in-the-middle attacker to forge a valid, accept-message in response to a failed authentication attempt, allowing unauthorised access to network devices and services without needing to guess or brute-force passwords or shared secrets.
Detail
RADIUS is employed in various applications, including enterprise network access, VPNs, ISP services (DSL and FTTH), 802.1X and Wi-Fi authentication, cellular roaming, mobile Wi-Fi offload, private APN authentication, critical infrastructure access, and in Eduroam and OpenRoaming Wi-Fi consortia.
The Blast-RADIUS attack targets all RADIUS implementations using non-EAP authentication methods over UDP. By intercepting the communication between the RADIUS client and server, an attacker can exploit the protocol's outdated cryptographic measures, which rely on the MD5 hash function and a fixed shared secret for server response authentication.
The attack combines a newly identified protocol vulnerability with an MD5 chosen-prefix collision attack and enhancements in speed and space efficiency. The attacker injects a malicious attribute into a request, causing a collision in the authentication information. This transforms a reject message into an accept message and allows arbitrary protocol attributes to be added, thereby granting unauthorised access to network services and infrastructure without revealing user credentials.
Recommended Action
Immediate Actions:
-
- Contact your RADIUS implementation vendors for patches addressing this vulnerability;
- Implement the best practices for RADIUS configuration, such as using secure communication channels and strong shared secrets;
-
- Ensure that clients and servers always send and require Message-Authenticator attributes for all requests and responses. Include the Message-Authenticator as the first attribute in Access-Accept or Access-Reject responses.
End-users should rely on network administrators to apply these protective measures, as there are no direct actions they can take to mitigate this vulnerability.
If you are unsure whether RADIUS is used in your organisation, we would recommend that you speak with your I.T. Team or I.T. Provider.
If you have any concerns, or have been affected by a cyber-related issue, report it to the CSC by submitting a Cyber Concerns Online Reporting Form at https://csc.gov.im.