Cybersecurity researchers have discovered a critical security vulnerability in RADIUS, a widely used network authentication protocol dating back to the 1990s that’s still in widespread use today.

RADIUS, short for Remote Authentication Dial-In User Service, was released in 1991 before being designated a standard (RFC 2058) by the Internet Engineering Task Force in 1997. Initially developed to provide centralized authentication, authorization and accounting for users who connect and use a network service, over the years RADIUS has been widely adopted in various other applications.

Today RADIUS is used in enterprise networks for authenticating access to switches and routers, virtual private network access, ISP services like DSL and FTTH, Wi-Fi authentication through 802.1X, and cellular network authentication for services like 2G, 3G, and 5G. That ubiquity is the problem.

The vulnerability, dubbed “BlastRADIUS” and tracked as CVE-2024-3596, can allow an attacker to conduct a man-in-the-middle attack, forging a valid protocol accept message in response to a failed authentication request. The attack method allows unauthorized access to network devices and services without the attacker needing to guess or brute force passwords or shared secrets, posing significant risks to enterprise and telecommunication networks.

The protocol’s vulnerability is a result of its age, with RADIUS relying on outdated cryptographic methods. BlastRADIUS allows attackers to leverage a combination of protocol weaknesses and MD5 chosen-prefix collision attacks, inject malicious attributes and turn an authentication reject into an accept. The implications are severe, as it potentially allows the granting of unauthorized access to critical network infrastructure without revealing user credentials.

According to a site set up to provide details on the vulnerability, BlastRADIUS affects all RADIUS implementations using non-EAP authentication methods over UDP. This includes a wide range of applications, such as enterprise networks managing access to switches and routing infrastructure, internet providers, networks using Wi-Fi and cellular networks that rely on RADIUS for network name authentication.

Given the widespread use of RADIUS, the potential impact is extensive and needs immediate attention from network administrators and vendors.

To mitigate the immediate threat posed by BlastRADIUS, network administrators are being advised to implement patches provided by vendors and mandate the use of Message-Authenticator attributes in all RADIUS requests and responses. Long term, admins should look at a strategy that involves transitioning RADIUS traffic to encrypted and authenticated channels using modern cryptographic standards.

The need to transition to modern standards is critical, Stephen Kowski, field chief security officer at cloud email security provider SlashNext Inc., told SiliconANGLE. He added that “while patching is important, the industry should consider developing more modern, secure authentication protocols.”

“In the meantime, organizations should implement additional layers of security, such as AI-powered behavioral analysis and zero-trust architectures,” Kowski said. “Modern networks require adaptive, intelligent security solutions that can detect and respond to threats in real-time across hybrid and multicloud environments.”

Callie Guenther, senior manager of cyber threat research at managed detection and response firm Critical Start Inc., noted that “for long-term solutions, there is a case for developing new protocols designed with modern security requirements in mind. These protocols should integrate advanced cryptographic techniques and be resilient against current and emerging threats.”

Image: SiliconANGLE/GPT-4o