Blast-RADIUS Attack: RADIUS/UDP and MD5 Authentication

Last updated on February 6, 2025

The researchers at Cloudflare have recently discovered a Blast-RADIUS vulnerability. The vulnerability is tracked as CVE-2024-3596. The Blast-RADIUS cyberattack presupposes the attacker can MITM into the network traffic and has significant computational power to rapidly crack the MD5 hash before a RADIUS login times out. If these conditions are met, an Access-Reject packet can be replaced with an Access-Accept. Consequently, the forged Access-Accept packet reaches the RADIUS client, and the client accepts it, allowing the hacker access to devices.

The Role of RADIUS in Network Security

RADIUS is critical in managing network access. It operates by sending authentication requests to a RADIUS server, which verifies the credentials and grants or denies access based on predefined policies. The use of UDP for transport makes RADIUS lightweight and efficient, suitable for high-speed networks. However, the combination of UDP and MD5 hashing can expose the protocol to several security threats.

The Persistence of RADIUS/UDP and MD5

RADIUS traffic is still commonly transported over UDP without encryption, relying solely on outdated cryptographic constructions based on MD5. Despite MD5 being recognized as hackable, its use persists in RADIUS due to the complexity of updating legacy devices like routers that are integral to many networks.

The Blast-RADIUS Attack: Exploiting MD5 Weaknesses

In the improved attack against MD5, a Man-in-the-Middle (MITM) attack can exploit all authentication modes of RADIUS/UDP except those using Extensible Authentication Protocol (EAP). This attack allows an attacker with access to RADIUS traffic to gain unauthorized administrative access to devices, bypassing the need to brute force or steal passwords or shared secrets.

How the Blast-RADIUS Attack Works

The attack hinges on the ability to forge an Access-Accept packet by exploiting MD5 collisions. By intercepting the Access-Request packet and quickly finding a collision, the attacker can replace an Access-Reject with an Access-Accept. The RADIUS client accepts the forged Access-Accept packet, granting unauthorized access.

1. User Login Attempt: An attacker enters a privileged user’s username and an incorrect password.
2. Access-Request: The network device generates an Access-Request, including a random value called the Request Authenticator.
3. MD5 Collision Attack: The attacker predicts the server’s response (an Access-Reject) and computes an MD5 collision between the predicted Access-Reject and an Access-Accept. This results in gibberish strings.
4. Modified Access-Request: The attacker adds gibberish to the Access-Request disguised as a Proxy-State attribute.
5. Server Responds with Access-Reject: The server checks the password, rejects the request, and sends an Access-Reject with the gibberish attached. It also computes a Response Authenticator.
6. Adversary’s Swap: The attacker replaces the Access-Reject with the gibberish-filled Access-Accept and sends it to the client.
7. Successful Access: Due to the MD5 collision, the client accepts the forged Access-Accept, granting the attacker access.

Blast-RADIUS Vulnerability: Assessing Feasibility and Implications

This attack must be executed swiftly. The Request Authenticator attribute, a 16-byte random nonce included in the request packet, ensures that the MitM attacker must intercept and process the request packet in real time. Precomputed attacks are not feasible due to the unpredictability of the Request Authenticator. Because of that, recreating the exploit is challenging and costly. Successful attacks require significant cloud computing power, with costs per exploited packet. Mass exploitation is impractical due to these resource requirements. While these costs may deter casual attackers, they are insignificant for well-funded nation-states targeting specific users.

In addition to the above, an attacker must be able to manipulate packets within your network to conduct the Blast-RADIUS attack. If they can manipulate packets within your network, it indicates they have already accomplished a separate cyberattack to gain that level of access. 

Last but not least, not all RADIUS packets are vulnerable to Blast-RADIUS. Only certain Access-Request packets are affected. EAP (802.1X) authentication remains safe, as do Accounting-Request packets, CoA-Request packets, Disconnect-Request packets, and RADIUS over TLS (RadSec). Similarly, the Blast-RADIUS flaw impacts RADIUS deployments that rely on PAP, CHAP, MS-CHAP, and RADIUS/UDP over the internet. However, enterprises using PSEC, TLS, or 802.1X protocols, as well as services like eduroam or OpenRoaming, remain unaffected.

Mitigation Strategies

• Implement RADIUS over TLS: Using Transport Layer Security (TLS) to encrypt RADIUS traffic can protect against eavesdropping and man-in-the-middle attacks. RADIUS over TLS (RadSec) provides a secure, encrypted channel for transmitting authentication data. All Access-Request packets must be sent over RADIUS/TLS (RadSec).
• Use EAP RADIUS: Even though EAP-TLS sends traffic over UDP, it is still to be proven that EAP-TLS is vulnerable to the Blast-RADIUS vulnerability. However, some implementations of EAP-TLS may nevertheless be vulnerable to some variant of the Blast-RADIUS cyberattack. For that reason, it is better to use RadSec instead of EAP-TLS whenever possible.
• Deploy IPsec for Network Traffic: Internet Protocol Security (IPsec) can be used to secure communication between RADIUS clients and servers. IPsec provides authentication, integrity, and encryption, ensuring tunneled data is harder to intercept and tamper with during transit. Even though IPsec makes it harder for the attacker to access the network traffic, it is still better to use RadSec.
• Enforce MFA With Message-Authenticator Support (via Rublon Authentication Proxy 3.5.3+): RADIUS integrations can mitigate Blast-RADIUS by enforcing validation of the Message-Authenticator attribute. An MFA provider must support this attribute and allow enforcing it to safeguard against Blast-RADIUS attacks. In Rublon Authentication Proxy version 3.5.3 and newer, the force_message_authenticator option (enabled by default) secures RADIUS traffic against forged Access-Accept packets. You can learn more in the Rublon Authentication Proxy documentation.

Stay Secure with the Rublon Newsletter

Explore the latest cybersecurity updates and expert advice, delivered right to your inbox. Join our community today and equip yourself with essential tools for a safer online experience.

Conclusion

While RADIUS remains a vital protocol for network security, its use of UDP and MD5 presents significant vulnerabilities. Understanding these risks and implementing robust mitigation strategies is crucial for maintaining a secure network environment. By upgrading to RADIUS over TLS (RadSec), organizations can protect against the inherent weaknesses of RADIUS/UDP and MD5, ensuring the integrity and security of their authentication processes.

Blast-RADIUS FAQ

Here’s a list of commonly asked questions about the Blast-RADIUS flaw, RADIUS, UDP, and MD5 vulnerabilities.

What are the vulnerabilities associated with RADIUS/UDP and MD5 authentication?

RADIUS/UDP combined with MD5 authentication is susceptible to various security vulnerabilities, including collision attacks and replay attacks. One such vulnerability can facilitate a Blast-RADIUS attack, leading to unauthorized access and data breaches within a network.

Why is MD5 considered insecure for use in RADIUS?

MD5 is vulnerable to collision attacks, where two different inputs generate the same hash value. This vulnerability allows attackers to manipulate or reverse-engineer hashed passwords, compromising the security of RADIUS authentication.

How does UDP contribute to the vulnerabilities in RADIUS?

UDP is a connectionless protocol that lacks built-in mechanisms for ensuring data integrity and authenticity. This makes it easier for attackers to spoof or manipulate UDP packets, further exacerbating the security risks associated with RADIUS.

What are the potential consequences of a Blast-RADIUS attack?

Exploiting the Blast-RADIUS vulnerability can lead to unauthorized network access, data breaches, and other malicious activities. Attackers can gain access to sensitive systems and data, compromising the overall security of the network. The attacker can bypass Multi-Factor Authentication (MFA), allow unknown users to gain network access, grant administrative login to critical networking equipment, and redirect known users’ traffic to a ‘honeypot’.

Who is at risk from Blast-RADIUS?

Any organization that uses RADIUS with MD5 authentication over UDP is at risk. This includes enterprises, Internet Service Providers (ISPs), and other entities relying on RADIUS for network access control.

What can be done to mitigate these risks?

To mitigate these risks, organizations should implement RADIUS over TLS (RadSec). This can be challenging on legacy systems, in which case organizations should at least use EAP-TLS and deploy IPsec for securing network traffic.

Is it necessary to stop using RADIUS?

No, it is not necessary to stop using RADIUS. Instead, organizations should adopt more secure practices and technologies to protect their RADIUS implementations from known vulnerabilities.

How long have these vulnerabilities been known?

The vulnerabilities associated with MD5 and RADIUS/UDP have been known for many years. However, the security community continues to find and address new weaknesses, emphasizing the need for regular updates and adherence to best practices. One such vulnerability is Blast-RADIUS which was discovered in February 2024 and became public in July 2024.

What steps should system administrators take immediately?

System administrators should assess their current RADIUS implementations, upgrade to secure hashing algorithms, use encrypted transport protocols, and ensure all systems are up-to-date with the latest security patches. Implementing these measures promptly can significantly reduce the risk of exploitation.