IT experts discover flaws in popular security protocol

The paper, “RADIUS/UDP Considered Harmful,” was authored by researchers from Cloudfare, Centrum Wiskunde & Informatica, BastiionZero, and Microsoft Research, and was presented last week at USENIX Security 2024.

“This is one of the largest and most complex vulnerability disclosures we’ve ever been involved in,” said Nadia Heninger, a professor in the Jacobs School of Engineering Department of Computer Science and Engineering. “Given how widely adopted this protocol is, it’s surprising that it has received almost no formal security analysis in the academic cryptography and security communities.”

Heninger notes a huge gap between those who implement these protocols and those who research them.

Researchers found that a “man in the middle” could attack communications between a RADIUS client (or victim network device) and a RADIUS server to forge a valid Accept Protocol message in response to a fake login or authentication request. This could give the attacker administrative access to network devices and services without having to guess or “brute force” passwords.

The source of the vulnerability is that RADIUS was developed before the design of the cryptographic protocol was properly understood, the authors say. It uses authentication controls based on an ad hoc and insecure design based on the MD5 hash function, which has been known to be broken for two decades.