BlastRADIUS Attack Exposes Critical Flaw In 30-Year-Old RADIUS Protocol

wiredmikey shares a report from SecurityWeek: Security vendor InkBridge Networks on Tuesday called urgent attention to the discovery of a thirty-year-old design flaw in the RADIUS protocol and warned that advanced attackers can launch exploits to authenticate anyone to a local network, bypassing any multi-factor-authentication (MFA) protections. The company published a technical description of what is being called the BlastRADIUS attack and warned that corporate networks such as internal enterprise networks, ISPs, and telcos are exposed to major risk. The vulnerability is being tracked as CVE-2024-3596 and VU#456537. 'The root cause of the attack is that in the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks. An attacker can modify these packets in a way which allows them to control who gets onto the network,' the research team explained (PDF).

The RADIUS protocol, first standardized in the late 1990s, is used to control network access via authentication, authorization, and accounting and is still used widely today in switches, routers, access points and VPN products. 'All of those devices are likely vulnerable to this attack,' the researchers warned. 'The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will,' according to the InkBridge Networks documentation. The researchers say that every single RADIUS server must be upgraded in order to protect against this vulnerability. 'It is not sufficient to upgrade only RADIUS clients, as doing so will allow the network to remain vulnerable.'

Read more of this story at Slashdot.