Security Advisory: RADIUS Protocol Susceptible to Forgery Attacks

Difenda is informing its clients about a recent vulnerability impacting the RADIUS protocol, a widely used network authentication, authorization, and accounting protocol. This vulnerability could allow a person-in-the-middle threat actor to authenticate themselves to a victim’s system or deny authentication to legitimate users. No exploitation of this vulnerability as of July 9, 2024, has been observed, but it is critical to take preventive measures to mitigate potential risks.

RADIUS Protocol Susceptible to Forgery Attacks Technical Overview

RADIUS is a lightweight authentication protocol extensively used in networking devices, ranging from basic network switches to complex VPN solutions, and is also adopted by many cloud services for role-based access control. The vulnerability stems from the lack of authentication and integrity validation in the RADIUS protocol, allowing an adversary to exploit the weak MD5 cryptographic hash to forge authentication responses from a RADIUS server.

To exploit this vulnerability, a malicious actor requires both view and modify access to RADIUS packets in transit, making any unencrypted RADIUS communication, especially RADIUS over UDP and RADIUS over TCP, susceptible to attacks. The vulnerability highlights the importance of securing RADIUS communications to prevent unauthorized access and potential denial of service.

What We Suggest For RADIUS Protocol Susceptible to Forgery Attacks

To mitigate the risks associated with this RADIUS protocol vulnerability, Difenda recommends the following actions:

1. Patch and Update Systems: Verify with vendors that patches are available for any implementation of RADIUS used within your environment and ensure that all applicable systems are patched.
2. Avoid Unsecured RADIUS Communications:
   • Do not use RADIUS over UDP or RADIUS over TCP.
   • Use secure alternatives such as RADIUS-EAP, RADIUS-TLS, or RADIUS-DTLS to enforce confidentiality on communications.
3. Ensure Encrypted Network Connections:
   • Use IPsec, TLS, or MACsec (for Layer 2 communications) to authenticate and encrypt all network connections.
   • Block all RADIUS traffic from internet-facing interfaces.
   • Avoid sending unsecured RADIUS traffic over local or internet networks.
4. Implement Firewall and Network Security:
   • Create firewall rules to deny the unapproved flow of RADIUS packets to unintended network segments.
   • Block UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting at the perimeter firewall.
   • Ensure physical security of all network devices to prevent unauthorized access to networking devices and cabling infrastructure.
5. Enhance Security Configurations:
   • Enforce stricter timeouts on RADIUS connections as an additional mitigation measure.
   • Use these parameters to detect potential exploitation attempts in security monitoring.
   • Consider using alternative protocols for device authentication, such as Kerberos, IPSec certificate authentication, or TACACS+ depending on the specific use-case.