Security vendor InkBridge Networks on Tuesday called urgent attention to the discovery of a thirty-year-old design flaw in the RADIUS protocol and warned that advanced attackers can launch exploits to authenticate anyone to a local network, bypassing any multi-factor-authentication (MFA) protections.
The company published a technical description of what is being called the BlastRADIUS attack and warned that corporate networks such as internal enterprise networks, Internet Service Providers (ISPs), and Telecommunications companies (telcos) are exposed to major risk.
The flaw was discovered by researchers at Boston University, Cloudflare, BastionZero, Microsoft Research, Centrum Wiskunde & Informatica and the University of California, San Diego.
“The root cause of the attack is that in the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks. An attacker can modify these packets in a way which allows them to control who gets onto the network,” the research team explained.
The RADIUS protocol, first standardized in the late 1990s, is used to control network access via authentication, authorization, and accounting and is still used widely today in switches, routers, access points and VPN products.
“All of those devices are likely vulnerable to this attack,” the researchers warned.
“The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will,” according to the InkBridge Networks documentation.
The company described the issue as “a fundamental design flaw of the RADIUS protocol” and noted that all standards compliant RADIUS clients and servers are likely vulnerable to this attack, even if they correctly implement all aspects of the RADIUS protocol.
“Since all security of the RADIUS protocol for UDP and TCP transports is based on the shared secret, this attack is perhaps the most serious attack possible on the RADIUS protocol,” the company declared.
At the absolute minimum, InkBridge Networks recommends that every single RADIUS server world-wide must be upgraded to address this vulnerability. “It is not sufficient to upgrade only RADIUS clients, as doing so will allow the network to remain vulnerable.”
The company said a private proof-of-concept exploit has been created by its researchers but there is no indication that this vulnerability is being actively exploited in the wild.
Even if someone managed to recreate the exploit, the researchers note that a successful attack will be costly. “It can take a significant amount of cloud computing power to succeed in performing the attack. This cost is also per packet being exploited, and cannot be automatically applied to many packets. If an attacker wants to perform 100 attacks, he has to use 100 times of computing power.”
However, the company notes that these costs are “drop in the bucket for nation-states” looking to target specific users.
Related: Cisco Products Vulnerable to POODLE Attacks
Related: Credentials Leaked Due to Microsoft Exchange Protocol Flaw
Related: Cisco Discovery Protocol Flaws Expose Millions of Devices to Attacks
