Skip to content

Popular RADIUS authentication broken in new attack

  • by
  • 2 min read

Researchers have discovered a new vulnerability in the widely used RADIUS/UDP protocol, allowing threat actors to breach networks and devices using man-in-the-middle MD5 collision attacks. The vulnerability, dubbed CVE-2024-3596, allows access to RADIUS traffic that can then be used to manipulate server responses, eventually escalating privileges for an attacker.

RADIUS, or the Remote Authentication Dial-In User Service protocol, is used for authenticating clients in DSL, FTTH, 802.1X (WiFi), 2G and 3G cellular, 5G DNN, private APN and VPN, and other infrastructure networks. Most networking devices, including switches, routers, and other routing devices, use the protocol for authenticating clients, which can sometimes number as many as tens of thousands.

The attack, called Blast-RADIUS, allows a man-in-the-middle attack between the RADIUS client and server. The attacker can intercept RADIUS traffic and then forge a valid protocol accept message in response to a failed authentication request. “This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets,” explain the researchers, adding that the attacker doesn’t learn user credentials.

The proof-of-concept attack by the researchers computes an MD5 chosen-prefix hash collision that’s needed to forge a valid “Access-Accept” response to signify a successful authentication request. The forged has is then injected into the network using a man-in-the-middle attack. Once exploited, the attacker can escalate privileges from partial network access, allowing them to log into any device using RADIUS for authentication. Attackers can also assign themselves arbitrary network privileges.

End users connected to a network can do nothing to protect themselves. However, system admins operating networks using RADIUS are advised to check with their respective hardware vendors for patches to fix the CVE-2024-3596 vulnerability. The researchers have also laid out some mitigation measures on the website explaining the attack and pointing towards guidance given in a white paper authored by Alan DeKok of FreeRADIUS.

In the News: Google expands dark web monitoring to all users for free

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>