BlastRADIUS: a CRITICAL security vulnerability
If you’re on this mailing list, you need to know about BlastRADIUS. BlastRADIUS is a thirty year-old design flaw in the RADIUS protocol. Exploiting the vulnerability allows an attacker to authenticate anyone to your local network: • Any Multi-Factor Authentication (MFA) can be bypassed • Unknown users can be given network access • Unknown users can be granted administrative login to key networking equipment • Known users can have their traffic redirected to a "honeypot" BlastRADIUS has a CVSS score of 9.0, which is extremely high. This vulnerability affects ALL RADIUS clients and ALL RADIUS servers. It is an issue in the underlying protocol, not any specific implementation. All RADIUS servers are affected and MUST BE UPGRADED as soon as possible. In some cases, it is possible to upgrade clients in a less time critical manner. See our resource hub for more information. https://www.inkbridgenetworks.com/blastradius *** RESOURCES *** freeRADIUS resource page: https://www.freeradius.org/security/ InkBridge Networks BlastRADIUS resource page: https://www.inkbridgenetworks.com/blastradius Official BlastRADIUS site: https://blastRADIUS.fail <https://blastradius.fail/> FREE Webinar TODAY 9am ET with: - Alan DeKok, founder of freeRADIUS and InkBridge Networks CEO - Nadia Heninger, lead cryptographer who discovered the vulnerability Register now: https://alandekok.com/webinar2/ FREE Webinar TODAY 2:00pm ET with Alan DeKok Register now: https://alandekok.com/webinar/ Webinar recordings will be made available if you aren’t able to attend. *** DON’T WORRY. WE’VE GOT YOU COVERED **** As one of the world’s foremost experts on RADIUS, Alan DeKok has been on the front lines resolving this issue from the beginning. The cryptography team reached out to Alan within days of discovering the vulnerability. All RADIUS vendors have followed Alan's vendor guide to update their products. These changes will be added to the RADIUS standards, as the mandated behaviour for all RADIUS implementations.The updated standards will follow the IETF document we wrote to deprecate insecure practices in RADIUS. Simply put, InkBridge Networks are the world experts on Blast RADIUS. Check out our resource hub to see how we can help. https://www.inkbridgenetworks.com/blastradius See our vendor guide: https://www.inkbridgenetworks.com/web/content/2557?unique=47be02c8aed46c53b0.... This is the reference document implemented by all RADIUS vendors. See our IETF document for updating RADIUS standards: https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/ . —————— Additional information can be found here: https://www.kb.cert.org/vuls/id/456537 https://blog.cloudflare.com/radius-udp-vulnerable-md5-attack https://www.cwi.nl/en/news/vulnerability-demonstrated-in-radiusudp-network-p...
Mandi! Alan DeKok In chel di` si favelave...
BlastRADIUS has a CVSS score of 9.0, which is extremely high.
Sorry Alan; looking at https://blastradius.fail/ or https://thehackernews.com/2024/07/radius-protocol-vulnerability-exposes.html it is not clear to me if a standard configuration 'Active Directory binded to RADIUS' (eg, WPA2/3-Enterprise, (P)EAP, MSCHAPv2) is vulnerable or not. MSCHAPv2 is listed as 'vulnerable', but also EAP is 'not vulnerable'. This confuse me because i supose(d) that MSCHAPv2 *need* EAP, so... Agains sorry, thanks. --
On Jul 11, 2024, at 11:00 AM, Marco Gaiarin <gaio@lilliput.linux.it> wrote:
Sorry Alan; looking at https://blastradius.fail/ or https://thehackernews.com/2024/07/radius-protocol-vulnerability-exposes.html
You can go to the source: https://inkbridgeneworks.com/blastradius https://inkbridgeneworks.com/blastradius/faq
it is not clear to me if a standard configuration 'Active Directory binded to RADIUS' (eg, WPA2/3-Enterprise, (P)EAP, MSCHAPv2) is vulnerable or not.
The attack has nothing to do with Active Directory. See my FAQ above. There are clear descriptions for who is vulnerable, and who is not.
MSCHAPv2 is listed as 'vulnerable', but also EAP is 'not vulnerable'. This confuse me because i supose(d) that MSCHAPv2 *need* EAP, so...
PEAP is really MS-CHAP inside of TLS, inside of EAP, inside of RADIUS. When you just use MS-CHAP over RADIUS, it's insecure. Don't use that. Ever. Alan DeKok.
Mandi! Alan DeKok In chel di` si favelave...
The attack has nothing to do with Active Directory.
I know. I'm simply listing a use case.
See my FAQ above. There are clear descriptions for who is vulnerable, and who is not.
I've read, but seems not so clear to me, so i've asked.
PEAP is really MS-CHAP inside of TLS, inside of EAP, inside of RADIUS. When you just use MS-CHAP over RADIUS, it's insecure. Don't use that. Ever.
OK. Thanks. --
Am 11.07.24 um 17:00 schrieb Marco Gaiarin:
MSCHAPv2 is listed as 'vulnerable', but also EAP is 'not vulnerable'. This confuse me because i supose(d) that MSCHAPv2*need* EAP, so...
Take some extra care when reading the docs, e.g. https://www.ietf.org/archive/id/draft-ietf-radext-deprecating-radius-02.html MS-CHAPv2 itself (and all of its predecessors) can be used to teach how NOT to do Challenge-Response-Authentication. In contrast, MS-CHAPv2 wrapped in a secure TLS Tunnel (such as with PEAP) can be implemented safely, provided the tunnel setup is done right. So to be used in any productive way, MS-CHAPv2 "needs" EAP. Not because MS-CHAPv2 on its own is technically impossible, but rather because it would be terribly insecure. All "EAP carrying TLS messages" scenarios should be OK with respect to Blast RADIUS. The biggest problem with these scenarios are client devices that don't properly validate the peer's identity, i.e. 802.1X/802.11i certificate. This has happened most often with BYOD devices, especially Android, but that's a different story. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (3)
-
Alan DeKok -
Marco Gaiarin -
Martin Pauly