There are mixed feelings in the security community about the urgency to protect networks from the BlastRADIUS vulnerability.
Why fix a 30-year-old design flaw that can only be exploited by someone already on your network?
Because BlastRADIUS is:
- Relatively easy to exploit
- Could cause harm to your business
- Has a reliable and tested fix
While the flaw in the RADIUS protocol has existed for a long time, the BlastRADIUS exploit elevates this threat. An enterprise data security team may choose to deprioritize this issue, but 25 years of experience tells me that is not the best option. There’s no value in leaving known security issues unresolved.
Cyber attacks typically involve multiple vulnerabilities. If any one of the issues in the sequence had been fixed, the attack would not succeed. Fixing BlastRADIUS closes off one route of attack.
If you leave one vulnerability open here, and another over there, pretty soon your multi-layered security looks like a chain link fence.
There’s no value in leaving a known security issue unresolved, especially one that allows attackers to mess with authentication.
BlastRADIUS is not hard to exploit
As the news about BlastRADIUS (CVE-2024-3596) broke in early July, some commenters minimized the threat, but we disagree.
BlastRADIUS has a CVSS score 8.1. That’s at the upper end of the scale. The CVSS calculation considers both exploitability and impact (among other things), so let’s take a closer look at these factors.
This vulnerability can’t be casually exploited because it requires access to the network and massive amounts of computing power. But here’s the thing – getting a foothold into a network for an “adversary-in-the-middle” attack isn’t that difficult.
Computing power is not much of a deterrent either. It’s so easily available and inexpensive that individuals could finance this exploit, and nation-states wouldn’t blink at the hardware requirement.
I’d say the exploitability of BlastRADIUS is high.
BlastRADIUS is an avoidable risk
The impact of an attack via BlastRADIUS would be substantial. This vulnerability could allow an attacker to connect to authenticated systems without credentials. They might achieve management-level access or gain a connection to restricted networks. What would that mean for intellectual property, confidential data, or maintaining operations?
BlastRADIUS is simple to fix
This flaw in RADIUS is not new. It has always been known that some Access-Request packets lack integrity checks. Researchers have now proved that this is a security problem.
When I wrote RFC 5080 in 2007, it suggested that RADIUS clients should add integrity protection to all Access-Request packets, and that servers should drop packets that are missing integrity protection. These changes were added to FreeRADIUS in 2007, and made mandatory in FreeRADIUS Version 3.0.0, in 2013.
If all RADIUS implementations had followed the recommendations of RFC 5080, then this vulnerability would not exist. Following that same logic, if you implement the updates and configuration changes to protect against BlastRADIUS now, it will no longer be a concern.
Different organizations will have different threat models and risk tolerance. As you consider your response to BlastRADIUS, check out our FAQ page and our worksheet and verification tool. If you would like some expert input on the BlastRADIUS threat or want to know ways to beef up RADIUS security and functionality, call us.
Need expert guidance on network security?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
RADIUS protocols and password format compatibility
In order for RADIUS authentication to work, user passwords need to be stored in a format that is understood by the authentication protocol used by the client. Unfortunately, not all protocols work with all password storage formats. This can be especially problematic with platforms that use proprietary formats or protocols.
How Authentication protocols work
There are a variety of authentication protocols to choose from, each with their own set of advantages, disadvantages, and constraints. In general, we recommend using PAP whenever possible. It is compatible with all known back-end databases, and it has no known security issues.