overview
A newly discovered critical vulnerability in the RADIUS protocol, named BlastRADIUS (CVE-2024-3596), exposes most networking equipment to Man-in-the-Middle (MitM) attacks. While challenging to exploit, the potential impact is severe, affecting businesses, universities, cloud providers, and ISPs globally.
The vulnerability currently impacts network switches, routers, firewalls, VPN concentrators, access points, and DSL gateways. BlastRADIUS could allow for unauthorized network access, false user authentication, and granting unauthorized permissions.
Who is at Risk?
- Most Vulnerable: PAP, CHAP, MS-CHAPv2 authentication methods.
- Safer Alternatives: TLS, IPSec, 802.1X (EAP), eduroam, OpenRoaming.
The root cause of BlastRADIUS lies in the unauthenticated Access-Request packets within the RADIUS protocol, allowing for MitM attacks through chosen prefix modifications. Because the RADIUS protocol doesn’t have integrity and authentication checks in certain Access-Request messages, attackers can change these packets without being noticed. This means almost all network access systems around the world are currently insecure.
Even though there’s no proof that this vulnerability is being actively exploited, it is still a major threat due to the high potential damage, particularly from nation-state actors targeting specific users. To fix this issue, all RADIUS servers and clients worldwide need to be updated.
avertium's recommendationS
- This vulnerability was discovered by a research team including members from Boston University, Cloudflare, BastionZero, Microsoft Research, Centrum Wiskunde & Informatica, and the University of California, San Diego. You may find detailed information on the research team’s website.
- According to the website, network administrators and vendors should follow the guidance given in this white paper authored by Alan DeKok of FreeRADIUS.
- Short Term Guidance:
- Mandate that clients and servers always send and require Message-Authenticator attributes for all requests and responses.
- Include the Message-Authenticator as the first attribute in Access-Accept or Access-Reject responses.
- Apply patches implementing this mitigation, as they have been released by all known RADIUS implementations.
- Follow this guidance, which will be included in an upcoming RADIUS RFC.
- Long Term Guidance:
- Use RADIUS within an encrypted and authenticated channel that provides modern cryptographic security guarantees.
- Monitor the ongoing IETF efforts to standardize RADIUS over (D)TLS.
INDICATORS OF COMPROMISE (IoCs)
IoCs Added to our Threat Feeds
At this time, there are no known IoCs associated with BlastRADIUS. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
TTPs to Monitor
- Credential Access and Collection (Tactic ID: TA0006 and TA0009): An adversary exploiting this vulnerability can steal credentials transmitted over a network.
- Discovery (Tactic ID: TA0007): An adversary exploiting this vulnerability may be able to discover critical information about your network, including but not limited to: user, cloud, or domain accounts, system policies, system configurations, and security tools in the environment.
- Exfiltration (Tactic ID: TA0010): An adversary exploiting this vulnerability could use various techniques to exfiltrate sensitive data, including but not limited to: exfiltration over web services or by hijacking a scheduled transfer.
How Avertium is Protecting Our CUSTOMERS
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
If you have any questions on these findings or prefer to no longer be notified about this issue, please contact the Cyber Fusion Center by replying to this message, sending an email to cfc@avertium.com, or by calling 1-877-707-7997 (option 1).
SUPPORTING DOCUMENTATION