New Blast RADIUS Attack Breaks 30-Year-Old Protocol Used in Networks Everywhere

One of the most widely used network protocols is vulnerable to a newly discovered attack that could allow attackers to gain control over a range of environments, including industrial controls, telecommunications services, ISPs, and corporate networks of all types.

RADIUS is short for Remote Authentication Dial-In User Service and dates back to the days of Internet and network access over public telephone networks. Since then, it has become the de facto standard for simple authentication and is supported by virtually every switch, router, access point and VPN concentrator released over the past two decades. Despite its early origins, RADIUS remains an indispensable part of managing client-server interactions for:

• VPN access
• DSL and fiber-to-the-home connections from ISPs,
• Wi-Fi and 802.1X authentication
• 2G and 3G mobile roaming
• 5G data network name authentication
• Mobile data offloading
• Authentication via private APNs to connect mobile devices to corporate networks
• Authentication to devices for managing critical infrastructure
• Eduroam and OpenRoaming WLAN

RADIUS enables seamless interaction between clients (typically routers, switches, or other devices that provide network access) and a central RADIUS server that acts as a gatekeeper for user authentication and access policies. The purpose of RADIUS is to provide centralized authentication, authorization, and accounting management for remote logins.

The protocol was developed in 1991 by a company called Livingston Enterprises. In 1997, it was declared an official standard by the Internet Engineering Task Force, which was updated three years later. Although there is a draft proposal for sending RADIUS traffic within a TLS-encrypted session that is supported by some vendors, many devices that use the protocol only send packets in plain text over UDP (User Datagram Protocol).

Create your own authentication with MD5? Seriously?

Since 1994, RADIUS has relied on an improvised, home-grown use of the MD5 hash function. MD5 was first developed in 1991 and adopted by the IETF in 1992. At the time, it was a popular hash function for creating so-called “message digests,” which convert arbitrary input such as numbers, text, or binary files into an output of a fixed length of 16 bytes.

For a cryptographic hash function, it should be computationally impossible for an attacker to find two inputs that map to the same output. Unfortunately, MD5 turned out to be a weak design: within a few years, there were signs that the function might be more vulnerable than originally thought to attacker-induced collisions, a serious flaw that allows the attacker to create two different inputs that produce identical outputs. These conjectures were formally confirmed in a 2004 paper by researchers Xiaoyun Wang and Hongbo Yu, and further refined in a research paper published three years later.

The latter paper – published in 2007 by researchers Marc Stevens, Arjen Lenstra and Benne de Weger – described a so-called chosen-prefix collision, a type of collision that results from two messages chosen by an attacker that, when combined with two more messages, produce the same hash. That is, the attacker freely chooses two different input prefixes 𝑃 and 𝑃′ with arbitrary content that, when combined with carefully corresponding suffixes 𝑆 and 𝑆′ that resemble random gibberish, produce the same hash. In mathematical notation, such a chosen-prefix collision would be written as 𝐻(𝑃‖𝑆)=𝐻(𝑃′‖𝑆′). This type of collision attack is much more effective because it gives the attacker the freedom to create highly customized forgeries.

To illustrate the practical implementation and devastating consequences of the attack, Stevens, Lenstra, and de Weger used it to create two X.509 cryptographic certificates that generated the same MD5 signature but different public keys and different Distinguished Name fields. Such a collision could result in a CA that wants to sign a certificate for one domain unknowingly signing a certificate for a completely different, malicious domain.

In 2008, a team of researchers including Stevens, Lenstra, and de Weger demonstrated how they could use a targeted prefix attack on MD5 to create a rogue certificate authority that could generate TLS certificates that all major browsers would trust. A key element of the attack is a piece of software developed by the researchers called Hashclash. Hashclash is now publicly available.

Despite the undisputed demise of MD5, the feature remained widely used for years. The deprecation of MD5 only began in 2012, when the Flame malware, reportedly developed jointly by the Israeli and US governments, was discovered to use a chosen-prefix attack to spoof the MD5-based code signing of Microsoft’s Windows Update mechanism. Flame used collision-capable spoofing to hijack the update mechanism, allowing the malware to spread from device to device within an infected network.

More than 12 years after the discovery of Flame’s devastating damage, and two decades after the collision vulnerability was confirmed, MD5 has brought down another widely used technology that has defied popular opinion to deviate from the hashing scheme – the RADIUS protocol, which is supported by hardware or software from at least 86 different vendors. The result is “Blast RADIUS,” a complex attack that allows an attacker with an active “advanced-in-the-middle” position to gain administrative access to devices that use RADIUS to authenticate to a server.

“Surprisingly, in the two decades since Wang et al. demonstrated an MD5 hash collision in 2004, RADIUS has not been updated to remove MD5,” the research team behind Blast RADIUS wrote in a paper published Tuesday titled RADIUS/UDP are considered harmful“In fact, given its ubiquity in modern networks, RADIUS appears to have received remarkably little security analysis.”

The release of the document is coordinated with security bulletins from at least 90 vendors whose products are vulnerable. Many of the bulletins are accompanied by patches that implement short-term fixes, while a working group of engineers from across the industry works on longer-term fixes. Anyone using hardware or software that includes RADIUS should read the technical details later in this post and check with the manufacturer for security advisories.