Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 14 submissions in the queue.

Submission Preview

Link to Story

New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere

Accepted submission by Freeman at 2024-07-10 20:57:44 from the bleeping dept.
News

Freeman [soylentnews.org] writes:

https://arstechnica.com/security/2024/07/new-blast-radius-attack-breaks-30-year-old-protocol-used-in-networks-everywhere/ [arstechnica.com]

One of the most widely used network protocols is vulnerable to a newly discovered attack that can allow adversaries to gain control over a range of environments, including industrial controllers, telecommunications services, ISPs, and all manner of enterprise networks.

Short for Remote Authentication Dial-In User Service, RADIUS [wikipedia.org] harkens back to the days of dial-in Internet and network access through public switched telephone networks. It has remained the de facto standard for lightweight authentication ever since and is supported in virtually all switches, routers, access points, and VPN concentrators shipped in the past two decades.
[...]
The protocol was developed in 1991 by a company known as Livingston Enterprises. In 1997 the Internet Engineering Task Force made it an official standard [ietf.org], which was updated [ietf.org] three years later. Although there is a draft proposal for sending RADIUS traffic inside of a TLS-encrypted session that's supported by some vendors, many devices using the protocol only send packets in clear text through UDP [wikipedia.org] (User Datagram Protocol).
[...]
Since 1994, RADIUS has relied on an improvised, home-grown use of the MD5 hash function [wikipedia.org]. First created in 1991 and adopted by the IETF [ietf.org] in 1992
[...]
For a cryptographic hash function, it should be computationally impossible for an attacker to find two inputs that map to the same output. Unfortunately, MD5 proved to be based on a weak design: Within a few years, there were signs that the function might be more susceptible than originally thought to attacker-induced collisions, a fatal flaw that allows the attacker to generate two distinct inputs that produce identical outputs. These suspicions were formally verified in a paper [iacr.org] published in 2004 by researchers Xiaoyun Wang and Hongbo Yu and further refined in a research [springer.com] paper published three years later.

The latter paper—published in 2007 by researchers Marc Stevens, Arjen Lenstra, and Benne de Weger—described what’s known as a chosen-prefix collision
[...]
This type of collision attack is much more powerful because it allows the attacker the freedom to create highly customized forgeries.

To illustrate the practicality and devastating consequences of the attack, Stevens, Lenstra, and de Weger used it to create two cryptographic X.509 [wikipedia.org] certificates that generated the same MD5 signature but different public keys and different Distinguished Name fields. Such a collision could induce a certificate authority intending to sign a certificate for one domain to unknowingly sign a certificate for an entirely different, malicious domain.
[...]
More than 12 years after Flame's devastating damage was discovered and two decades after collision susceptibility was confirmed, MD5 has felled yet another widely deployed technology that has resisted common wisdom to move away from the hashing scheme—the RADIUS protocol, which is supported in hardware or software provided by at least 86 distinct vendors. The result is “Blast RADIUS,” a complex attack that allows an attacker with an active adversary-in-the-middle position to gain administrator access to devices that use RADIUS to authenticate themselves to a server.

“Surprisingly, in the two decades since Wang et al. demonstrated an MD5 hash collision in 2004, RADIUS has not been updated to remove MD5,” the research team behind Blast RADIUS wrote in a paper [blastradius.fail] published Tuesday and titled RADIUS/UDP Considered Harmful. “In fact, RADIUS appears to have received notably little security analysis given its ubiquity in modern networks.”
[...]
Over the long run, the researchers said, the only way to fix RADIUS is to transport it over TLS [wikipedia.org] or DTLS [wikipedia.org], a move that provides modern security guarantees including confidentiality to the user data in the requests and ensures the integrity of the Access-Accept and Access-Reject responses. A working group within the IETF is drafting a specification update that aims to do just that. These sorts of major renovations take months or even years to complete. Some implementations of RADIUS, namely the one from Microsoft, have yet to support TLS.
[...]
Alan DeKok, the lead maintainer of FreeRADIUS, the most widely used RADIUS implementation, has additional mitigation guidance here [inkbridgenetworks.com].

The paper authors are:

        Sharon Goldberg [bu.edu] (as of May [cloudflare.com], Cloudflare)
        Miro Haller [mirohaller.com] (University of California, San Diego)
        Nadia Heninger [ucsd.edu] (University of California, San Diego)
        Mike Milano (BastionZero)
        Dan Shumow [microsoft.com] (Microsoft Research)
        Marc Stevens [marc-stevens.nl] (Centrum Wiskunde & Informatica)
        Adam Suhl [ucsd.edu] (University of California, San Diego)

They have assembled an FAQ and technical details on this site [blastradius.fail].

Original Submission