The Blast-RADIUS attack
Date:
The Blast-RADIUS attack allows an MITM attacker to authenticate to any device that uses RADIUS over UDP, which includes the vast majority of network routers and other network gear in enterprise infrastructure.
Paper
This talk is based on our paper at USENIX’24, which I discuss in this blog post.
Talk Abstract
RADIUS is used to support remote access for diverse use cases including network routers, industrial control systems, VPNs, enterprise Wi-Fi including the Eduroam network, Linux Pluggable Authentication Modules, and mobile roaming and Wi-Fi offload. This talk presents the Blast-RADIUS vulnerability which allows a man-in-the-middle attacker to authenticate themselves to a device using RADIUS. Many of the above-mentioned applications still run RADIUS over UDP within an enterprise network (and in some cases even over the public Internet), and are hence affected by this vulnerability. Only deployments using the EAP authentication method or the not-yet-standardized RADIUS over TLS are unaffected.
In a typical RADIUS deployment, a user sends their credentials to the RADIUS client, which then contacts the RADIUS server that validates the credentials. On success, the RADIUS server sends an Access-Accept packet back to the RADIUS client (e.g., a router), which will then grant the user access. The RADIUS protocol predates modern cryptographic guarantees and is typically unencrypted and unauthenticated. However, the protocol does attempt to authenticate server responses using an ad hoc construction based on the MD5 hash function and a fixed shared secret between a RADIUS client and server. Our attack exploits an MD5 chosen-prefix collision to produce Access-Accept and Access-Reject packets with identical Response Authenticators. This allows our attacker to transform a reject into an accept without knowledge of the shared secret. We show how to fit the collision blocks within RADIUS attributes that will be echoed back from the server.
We improved and optimized the MD5 chosen-prefix attack to produce collisions online in less than five minutes (which could be reduced with further engineering efforts). This talk discusses proof of concept applications of our attack against popular RADIUS implementations. Furthermore, we outline mitigations.
Talk Recording
Talk Slides
Here are different versions of our slides for different talks:
- IETF meeting 120 in Vancouver (slides were created and presented together with my advisor Nadia)
- USENIX Security 2024 (slides created together with Adam, we were planning to co-present but I fell sick)