What is the BlastRADIUS vulnerability?

The BlastRADIUS vulnerability is a security flaw in the RADIUS protocol, tracked as CVE-2024-3596, with a CVSS score varying from 7.5 to 9.0. It originates from a design flaw where some Access-Request packets are not authenticated and lack integrity checks, allowing attackers to authenticate any user to a local network.

How can the BlastRADIUS vulnerability be exploited?

Exploiting the BlastRADIUS vulnerability requires a Man-in-the-Middle (MitM) attack, where the attacker intercepts and modifies RADIUS packets between the client and server. This attack is challenging to execute due to the substantial CPU resources required and the complexity of implementing MitM attacks.

Which components are affected by the BlastRADIUS vulnerability?

Affected components include PAP, CHAP, MS-CHAPv2, and other non-EAP authentication methods.

Which systems are not vulnerable to the BlastRADIUS vulnerability?

Systems not vulnerable to the BlastRADIUS vulnerability include 802.1x, IPSec, TLS, Eduroam, and OpenRoaming.

Advisory

Network operators are warned about a RADIUS protocol flaw

Q: Which RADIUS implementation has patched the BlastRADIUS vulnerability as of July 10, 2024?

As of July 10, 2024, only FreeRadius, an open-source implementation of a RADIUS server, has officially patched the BlastRADIUS vulnerability in their implementation.

published: July 9, 2024

Take action: This is mostly a long term awareness advisory. Unless you are running FreeRadius, you can only communicate to your vendors for patch availability and be aware of this risk. Naturally, frequent patching of the network device firmware and RADIUS servers is helpful, but it's not a clear-cut fix.

Learn More

Researchers have published a paper warning about a security vulnerability in the RADIUS protocol.

The flaw is dubbed BlastRADIUS, and is tracked by CVE-2024-3596 (CVSS score varies, from 7.5 to 9.0). The issue originates from a design flaw in the RADIUS protocol, where some Access-Request packets are not authenticated and lack integrity checks. This flaw allows attackers to authenticate any user to a local network, which can lead to unauthorized network access and further exploitation.

The exploitation of this vulnerability requires a Man-in-the-Middle (MitM) attack, where the attacker needs to intercept and modify RADIUS packets between the client and server. While challenging to execute, due to the substantial CPU resources required (estimated at $1000 per packet), the complexity of implementing MitM attacks and the lack of a public exploit, it remains a notable risk, particularly for high-value targets such as financial data theft.

Affected components include:

PAP
CHAP
MS-CHAPv2
Other non-EAP authentication methods

Systems that are not vulnerable include:

802.1x
IPSec
TLS
Eduroam
OpenRoaming

Full research paper is available here

At the moment there is no clear cut solution to the problem. Network operators and administrators are advised to update all RADIUS servers and clients. The updated RADIUS implementations incorporate integrity and authentication checks for Access-Request packets, addressing the underlying design flaw.

As of 10th of July 2024, only FreeRadius, an open source implementation of a RADIUS server has officially patched the issue in their implementation. Network operators can't do much immediately except communicating to their vendors to get info on patch availability.

Update - As of 11th of July Palo Alto Networks released patches for blastRadius

Network operators are warned about a RADIUS protocol flaw