BlastRADIUS: a CRITICAL security vulnerability

Alan DeKok aland at deployingradius.com
Tue Jul 9 12:49:34 UTC 2024 

If you’re on this mailing list, you need to know about BlastRADIUS. 

BlastRADIUS is a thirty year-old design flaw in the RADIUS protocol.  Exploiting the vulnerability allows an attacker to authenticate anyone to your local network:
    • Any Multi-Factor Authentication (MFA) can be bypassed
    • Unknown users can be given network access
    • Unknown users can be granted administrative login to key networking equipment
    • Known users can have their traffic redirected to a "honeypot"

BlastRADIUS has a CVSS score of 9.0, which is extremely high. 

This vulnerability affects ALL RADIUS clients and ALL RADIUS servers. It is an issue in the underlying protocol, not any specific implementation. All RADIUS servers are affected and MUST BE UPGRADED as soon as possible.  In some cases, it is possible to upgrade clients in a less time critical manner.   See our resource hub for more information. https://www.inkbridgenetworks.com/blastradius 


*** RESOURCES ***

freeRADIUS resource page: https://www.freeradius.org/security/
InkBridge Networks BlastRADIUS resource page: https://www.inkbridgenetworks.com/blastradius 
Official BlastRADIUS site: https://blastRADIUS.fail <https://blastradius.fail/> 

FREE Webinar TODAY 9am ET with:
- Alan DeKok, founder of freeRADIUS and InkBridge Networks CEO
- Nadia Heninger, lead cryptographer who discovered the vulnerability 
Register now: https://alandekok.com/webinar2/ 

FREE Webinar TODAY 2:00pm ET with Alan DeKok
Register now: https://alandekok.com/webinar/ 

Webinar recordings will be made available if you aren’t able to attend.


*** DON’T WORRY. WE’VE GOT YOU COVERED ****

As one of the world’s foremost experts on RADIUS, Alan DeKok has been on the front lines resolving this issue from the beginning. The cryptography team reached out to Alan within days of discovering the vulnerability. 

All RADIUS vendors have followed Alan's vendor guide to update their products. These changes will be added to the RADIUS standards, as the mandated behaviour for all RADIUS implementations.The updated standards will follow the IETF document we wrote to deprecate insecure practices in RADIUS.

Simply put, InkBridge Networks are the world experts on Blast RADIUS. Check out our resource hub to see how we can help. https://www.inkbridgenetworks.com/blastradius 

See our vendor guide: https://www.inkbridgenetworks.com/web/content/2557?unique=47be02c8aed46c53b0765db185320249ad873d95. This is the reference document implemented by all RADIUS vendors.

See our IETF document for updating RADIUS standards: https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/ . 

——————
Additional information can be found here: 
https://www.kb.cert.org/vuls/id/456537
https://blog.cloudflare.com/radius-udp-vulnerable-md5-attack
https://www.cwi.nl/en/news/vulnerability-demonstrated-in-radiusudp-network-protocol/

More information about the Freeradius-Users mailing list