BlastRADIUS bug puts most network devices at risk

A recently discovered flaw in the RADIUS network protocol has the industry waking up to the fact that the standard established in 1997 is now in need of an update — even as researchers warn that well-funded state-sponsored attackers could exploit the flaw to bypass multi-factor authentication (MFA) and gain access to networks.

In a July 9 blog post, researchers from InkBridge Networks explained that RADIUS was designed in the 1990s to control network access through authentication, authorization, and accounting. The discovery of the vulnerability — called BlastRADIUS — is cause for concern because the RADIUS protocol supports essentially every switch, router, access point, and VPN concentrator sold in the past 25 years.

Researchers at InkBridge warn that all of these devices are vulnerable to attack, with corporate networks, internet service providers and telecommunications companies most at risk.

BlastRADIUS was discovered by researchers from Boston University, Cloudflare, BastionZero, Microsoft Research, the Wiskunde i Informatica Center, and the University of California, San Diego.

The problem behind the flaw, which is tracked as CVE-2024 3596 and VU#456537, is that Access-Request packets lack authentication and integrity checks. Researchers said an attacker can perform a chosen prefix attack, which allows the attacker to modify the Access-Request to replace the correct response with a response chosen by the attacker. Although the response is authenticated and integrity checked, the chosen prefix flaw allows the attacker to modify the response packet — almost at will.

“While some network equipment vendors have released updates or patches to address this vulnerability, many have not,” said Ashley Leonard, CEO of Syxsense. “Unfortunately, what we’re seeing with RADIUS is that it simply wasn’t designed with security in mind, given that it’s decades old. This could be a sign that new, more secure protocols need to be developed, but that will take time and resources, as well as acceptance by hundreds of vendors. It won’t happen anytime soon, if it happens at all.”

For organizations using RADIUS-based networking equipment, Leonard said there are other mitigations security teams can take beyond patching, such as:

  • Enable Message-Authenticator: Many RADIUS implementations support this attribute (RFC 2869), which adds a cryptographic signature to RADIUS packets, making it much more difficult for an attacker to interfere with the authentication and authorization process.
  • Deploy protocol updates: Switch to using Transport-Layer Security (TLS) for traffic and Extensible Authentication Protocol (EAP) for authentication.

Callie Guenther, senior manager of threat research at Critical Start, said vendors could issue patches in the short term to address specific vulnerabilities in the RADIUS protocol, adding integrity checks and authentication measures to access-request packets to reduce the risk of tampering. Additionally, Guenther said enabling stronger encryption and MFA could make it harder for attackers to exploit the protocol.

“For long-term solutions, there is a need for new protocols designed with modern security requirements in mind,” said Guenther, who wrote the column for SC Media. “These protocols should integrate advanced cryptographic techniques and be resistant to current and emerging threats. Alternatively, enhancing existing protocols by incorporating more robust security features, such as moving to protocols like EAP-TLS, can provide more secure authentication mechanisms.”

Guenther added that industry-specific measures are also key. For example, encouraging the retirement of end-of-life devices that teams can’t update to meet current security standards can reduce the attack surface by removing vulnerable legacy systems from the network. Guenther also said that having teams regularly perform security audits and updates ensures that all network devices are up to date with the latest security standards.