New Blast-RADIUS Man-In-The-Middle Attack Bypasses Popular RADIUS Authentication

Threat actors carry out man-in-the-middle attacks to intercept, tamper, and manipulate communications between two parties unknown to them. 

Consequently, they can acquire private information like credit card details and login credentials or introduce threatening content that helps them infiltrate more servers and networks.

EHA

Recently, a new Blast-RADIUS man-in-the-middle attack was discovered that bypasses the popular RADIUS authentication.

Blast-RADIUS Man-In-The-Middle Attack

RADIUS (Remote Authentication Dial-In User Service) protocol is a frequently used standard for AAA (authentication, authorization, and accounting) in the field of company and telecommunication networks.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

A critical security flaw has been discovered in a protocol that is fundamental for governing users’ access to resources on other networked devices and measuring their utilization.

This flaw enables the middleman to forge valid accept messages for authentication request failures.

This affects all RADIUS implementations that use non-EAP authentication over UDP, as it may result in unauthorized access to network devices and services without compromising user credentials.

This encompasses any enterprise’s network infrastructure applications, VPNs, ISPs, cellular networks, and so on, which are part of critical infrastructure authentication.

Due to the inability of end-users to mitigate this risk themselves, system administrators should apply vendor patches immediately and follow recommended practices.

Blast-RADIUS attack overview (Source -BlastRadius.fail)

The attack involves an outdated cryptographic design of RADIUS, together with some new protocol vulnerabilities, as well as MD5 chosen prefix collision attacks.

Attackers can forge a valid access-accept response to a failed authentication request by injecting a malicious proxy-state attribute into a valid client’s request.

What this means is that one can now obtain unauthorized access to network devices and services without passwords or shared secrets.

This vulnerability arises from the reliance on ad hoc construction using fixed shared secrets and MD5 hashes for RADIUS, indicating the need to update this key network infrastructure protocol.

Network administrators and vendors should stick to the advice of Alan DeKok, from FreeRADIUS, in order to mitigate the vulnerability of RADIUS.

Firstly, for short-term purposes, Access-Accept or Access-Reject responses mandate ‘Message-Authenticator’ attributes at the very beginning.

The major RADIUS implementations have already taken care of this. In the long run, it is advisable that RADIUS operates within a modern cryptographic security-enabled channel where it is encrypted and authenticated.

The IETF is currently trying to normalize the Radius over (D)TLS to solve the outdated security measures that are associated with the protocol.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.