A new, serious vulnerability has been discovered in the popular network authentication protocol RADIUS. This protocol is used by networks around the world to help users connect to their services (from broadband ISPs to VPNs, mobile operators and more). It could expose users to Man-in-the-Middle (MitM) attacks.
The vulnerability, which has been given the name ‘vulnerability’ Explosion zone by InkBridge Networks (FreeRadius), appears difficult to exploit. However, its impact could still be significant if network operators and network administrators using RADIUS do not patch their software and devices to protect them from the new threat.
REMARK: RADIUS may not be as visible to end users as protocols like HTTP (Web), but it is a fundamental protocol that virtually everyone uses at some level to access the Internet.
The vulnerability is believed to stem from a 30-year-old design flaw in the RADIUS protocol (i.e., some Access-Request packets are not authenticated and there are no integrity checks) and that this is being exploited “allows an attacker to authenticate anyone to your local network“, which is clearly not good. Suffice it to say, it has been given a Common Vulnerability Score (CVSS) of 9 out of 10, which is extremely high.
However, for such an attack to succeed, the attacker would need to be able to modify RADIUS packets between the RADIUS client and the server. But even if they were able to do so, such attacks would still be costly and likely “require a significant amount of cloud computing power to be successful(catch – those with more resources may still find it feasible, for example if the goal is to steal credit card details for financial gain etc.).
FreeRadius Statement
The attack is difficult because it is a “man in the middle” attack, meaning the attacker must be able to see and modify Access-Request packets. If the attacker can do that, your network is already compromised.
Even better, the attack requires substantial CPU resources to pull off, i.e. $1000 worth of CPU power per packet attacked, and the attack isn’t even guaranteed. There is also no publicly available exploit for “script kiddies” to execute. It is extremely unlikely that anyone other than nation states have the ability to pull off the attack at this point.
However, if you are using PAP/CHAP/MS-CHAP and RADIUS/UDP over the Internet, then your users have probably been compromised for decades. There is not much more we can say about that.
To fully protect your systems from the attack, you should update all RADIUS servers and all RADIUS clients. The attack is based on a design flaw in the protocol. To fix this, you should update all RADIUS implementations to the new behavior. In many cases, you don’t need to panic and upgrade everything immediately. See below for more information.
Even given the limited nature of the attack, everyone should plan to install all firmware updates for every NAS device (including switches, routers, firewalls, VPN concentrators, etc.) that uses RADIUS. The most important thing in the short term is to upgrade your RADIUS servers, determine if your network is still vulnerable, and then take action to address those vulnerabilities.
Currently, there is only a proof-of-concept exploit for this that has been developed by the researchers, and the exploit itself is not yet publicly available. Credit to Thinkbroadband for spotting it.
REMARK: Systems that are NOT considered vulnerable include 802.1x, IPSec, TLS, Eduroam, and OpenRoaming. However, systems that are considered vulnerable are PAP, CHAP, MS-CHAPv2, and other non-EAP authentication methods.