BlastRADIUS Vulnerability: How It Affects RADIUS, How FreeRADIUS Mitigates It

A Critical Security Flaw in the RADIUS Protocol

In July 2024, security researchers from the University of California, San Diego, uncovered a critical vulnerability in the RADIUS protocol, termed BlastRADIUS (CVE-2024-3596). This flaw exposes networks to potential Man-in-the-Middle (MITM) attacks, allowing adversaries to intercept and manipulate authentication requests. Given RADIUS's widespread use for network authentication, this discovery has significant implications for organizations worldwide.

Understanding the BlastRADIUS Vulnerability

BlastRADIUS is not an implementation bug but rather a fundamental design flaw in the RADIUS protocol itself. It exploits weaknesses in the MD5 cryptographic algorithm used by RADIUS, enabling attackers to forge authentication responses under certain conditions. To execute this attack, an adversary must be able to observe and modify Access-Request packets, effectively positioning themselves between the RADIUS client and server.

Since RADIUS has been a cornerstone of network authentication for over 30 years, this vulnerability affects a vast number of systems, from enterprise networks to ISPs and cloud services.

How FreeRADIUS Mitigates BlastRADIUS

As one of the most widely used open-source RADIUS servers, FreeRADIUS took immediate action to address the BlastRADIUS vulnerability. By collaborating with the researchers, FreeRADIUS developers introduced security configurations to strengthen authentication integrity. These mitigations include:

1. Requiring the Message-Authenticator Attribute

FreeRADIUS now mandates the inclusion of the Message-Authenticator attribute in all Access-Request packets. This attribute ensures the integrity of the request and prevents forgery attempts. Administrators should enable this setting in radiusd.conf:

security {
    ...
    require_message_authenticator = auto
}

2. Limiting Proxy-State Attributes

To prevent MITM attackers from injecting unauthorized proxy state data, FreeRADIUS restricts the acceptance of Proxy-State attributes. This measure stops attackers from manipulating authentication requests. Configure this option in radiusd.conf:

security {
    ...
    limit_proxy_state = auto
}

These settings significantly reduce the risk posed by the BlastRADIUS attack vector, enhancing FreeRADIUS security against forged authentication responses.

Recommended Actions for Network Administrators

To effectively mitigate the risks associated with BlastRADIUS, network administrators should take the following actions:

1. Upgrade FreeRADIUS

Ensure that all FreeRADIUS instances are updated to the latest version that includes the BlastRADIUS mitigations.

2. Enable Security Configurations

Modify the radiusd.conf file to include the require_message_authenticator and limit_proxy_state settings.

3. Assess NAS Equipment

Evaluate Network Access Servers (NAS) for susceptibility to the BlastRADIUS vulnerability. Apply security patches provided by vendors.

4. Implement RADIUS over TLS (RadSec)

Consider using RADIUS over TLS (RadSec) to encrypt authentication traffic and mitigate MITM risks.

5. Conduct Security Testing

Perform thorough testing after implementing these security updates to ensure network stability and resilience against attacks.

Conclusion

The BlastRADIUS vulnerability highlights the risks posed by legacy cryptographic protocols in modern network security. While FreeRADIUS has swiftly provided mitigations, administrators must take proactive steps to update configurations and strengthen defenses. By applying the recommended security measures, organizations can safeguard their authentication infrastructure from potential exploitation.

For more details, refer to the official FreeRADIUS security advisory.