Cybersecurity researchers have discovered a security vulnerability in what is called the RADIUS network authentication protocol. blast radius Which can be used by an attacker to perform Mallory-in-the-Middle (MITM) attacks and layered redirect integrity assessment in some cases.
“The RADIUS protocol does not allow some access-request messages to perform any integrity or authentication checks,” Inkbridge Networks CEO Alan DeCock, author of FreeRADIUS Undertaking, said in an overview.
“As a result, an attacker could modify these packets without detection. The attacker would be able to force any user to authenticate, and would be able to grant that user any authorization (VLAN, etc.).”
RADIUS, short for Remote Authentication Dial-In Person Provider, is a consumer/server protocol that provides centralized authentication, authorization, and accounting (AAA) control for clients connecting to and using community carriers.
The security of RADIUS relies on a hash derived using a set of MD5 rules, which has been considered cryptographically compromised as of December 2008 due to the risk of accidental attacks.
This means that the right to access the request packet will also be subject to a specified prefix attack that makes it possible to switch the response packet so that it passes all integrity assessments for the latest response.
On the other hand, to make the attack victorious, the adversary has the intention to adjust the RADIUS packets in transit between the buyer and the server. This also means that the organizations that send packets over the Internet are liable for blame.
Alternative mitigation elements that prevent the attack from becoming powerful arise from the usefulness of TLS for broadcasting RADIUS site visitors over the Web and for improved packet security through the message-authenticator feature.
BlastRadius is the result of a fundamental design flaw and is said to affect all standards-compliant Radius consumers and servers, making it critical that web carrier providers (ISPs) and organizations that use the protocol adopt untested models. Please update.
“Specifically, PAP, CHAP, and MS-CHAPv2 authentication methods are the most vulnerable,” DeKok said. “ISPs must upgrade their RADIUS servers and networking equipment.”
“Anyone using MAC address authentication or RADIUS for administrator login to a switch is vulnerable. Using TLS or IPSec prevents the attack, and 802.1X (EAP) is not vulnerable.”
For enterprises, the attacker will already need access to the control digital native segment network (VLAN). Additionally, ISPs may also be at risk if they send RADIUS traffic over intermediate networks, such as third-party outsourcers, or the broader web.
It is used to note that the vulnerability, which is tracked as CVE-2024-3596 and receives a CVSS rating of 9.0, specifically affects networks that use RADIUS/UDP on the web. send site visitors because “most RADIUS traffic is sent in the clear.” There is no evidence that this is being exploited in the wild.
“This attack is the result of the security of the RADIUS protocol being ignored for too long,” DeKok said.
“Although standards have long suggested protections that could have prevented the attack, those protections were not mandated. Additionally, many vendors did not even implement the suggested protections.”
replace the
The CERT Coordination Center (CERT/CC), in a coordinated advisory, described the vulnerability as enabling an alert actor to gain access to a network where RADIUS access-to-requests were authorized, leading to fraudulent attacks. goes.
“A vulnerability in the RADIUS protocol allows an attacker to forge authentication responses in cases where the message-authenticator attribute is not required or implemented,” CERT/CC said. “This vulnerability results in a cryptographically insecure integrity check when validating authentication responses from RADIUS servers.”
Internet infrastructure and security company Cloudflare has revealed additional technical specifications of CVE-2024-3596, suggesting that RADIUS/UDP is amenable to an MD5 crash attack one step further.
It says, “This attack allows monsters-in-the-middle (MITM) actors with access to RADIUS traffic to gain unauthorized administrative access to devices that use RADIUS for authentication, without the use of brute force or of the need to steal passwords or shared secrets.”
Discover more from news2source
Subscribe to get the latest posts sent to your email.
