Blast RADIUS FAQs
Get answers to our most frequently asked questions.
It is a thirty year-old design flaw in the RADIUS protocol. Exploiting the vulnerability allows an attacker to authenticate anyone to your local network:
- Any Multi-Factor Authentication (MFA) can be bypassed
- Unknown users can be given network access
- Unknown users can be granted administrative login to key networking equipment
- Known users can have their traffic redirected to a "honeypot"
This issue has a CVSS score of 9.0, which is extremely high.
Anyone with a network is at risk.
- Networks who send RADIUS/UDP traffic over the Internet are at great risk.
- ISPs should upgrade immediately
- Enterprises using 802.1X (EAP, such as eduroam or OpenRoaming) are safe, but they still need to upgrade.
- Organizations who use RADIUS for administrator logins to devices are vulnerable, and should upgrade immediately.
- Home networks are not directly vulnerable, but the attack may result in your home traffic being directed out of your local ISP, to a system under the attackers control.
- Captive portals may be convinced to direct user traffic to malicious sites which engage in other attacks on end users.
The vulnerability largely affects corporate networks such as internal enterprise networks, Internet Service Providers (ISPs), and Telecommunications companies (telcos).
If you are not a system administrator, you should do nothing. Your data and passwords are safe.
If you are a system administrator, you should immediately answer the following questions to see what you have to do:
1. Is all RADIUS traffic accounting, and only accounting? The attack doesn't affect you. You still need to upgrade everything, but you can take your time.
2. Are all Access-Request packets sent over RADIUS/TLS (RadSec)? The attack doesn't affect you. You still need to upgrade everything, but you can take your time.
3. Are the RADIUS servers only doing EAP authentication, and no other kinds of authentication? The attack doesn't affect you. You still need to upgrade everything, but you can take your time.
4. Are the RADIUS servers only handling local requests? I.e. none of the RADIUS servers in your network are doing proxying? Upgrade your RADIUS servers, and then you are protected. You still need to upgrade the NAS equipment, but you can take your time.
5. For everyone else, you should upgrade your RADIUS servers immediately. Upgrading will prevent a large class of attacks. Further protection requires configuration changes, which can be complicated and high risk. Most vendor documentation will tell you how to upgrade their equipment, but will not tell you how to upgrade multiple different systems.
Our BlastRADIUS product page has detailed guides and test software which can reduce the risk of upgrading mission-critical systems.
We also have a free webinar which people can join to get more information. July 9, 2024 2:00pm EDT. https://alandekok.com/webinar/
ISPs offering DSL or FTTH (Fibre to the home), Telecommunications companies (2G, 3G roaming), 5G DNN, Mobile Wi-Fi offload, private APN, enterprise network with 802.1X (Wi-Fi or Wired), VPNs, administrator login to switches, eduroam, WBA Open Roaming, fire and resuce services, passenger aircraft sending telemetry, "smart grid" devices, and many many others.
RADIUS might not be as visible as HTTP, but it is a foundational protocol which almost everyone uses to access the Internet.
No.
If you are not using RADIUS, then your system does not have to be attacked in order to be vulnerable. It is already vulnerable.
Your network is, in fact, more vulnerable to attack than if you had used RADIUS to control network access.
RADIUS ensures that only authenticated users can access the local network. If you are not using RADIUS, then your network is already open to any attacker. He does not need to use this exploit to bypass authentication: Your network has no authentication, and is wide open to everyone.
There is a proof of concept exploit by the researchers. The exploit is not publicly available.
There is no indication that this vulnerability is being actively exploited in the wild.
Even if someone managed to recreate the exploit, a successful attack is costly. It can take a significant amount of cloud computing power to succeed in performing the attack. This cost is also per packet being exploited, and cannot be automatically applied to many packets. If an attacker wants to perform 100 attacks, he has to use 100 times of computing power.
That being said, these costs can be acceptable for "script kiddies" who steal credit cards. These costs are also a drop in the bucket for nation-states who wish to target particular users.
No.
However, system administrators should upgrade all affected equipment.
Yes.
Your system administrators will ensure that the work network is safe.
Yes.
In order for the attack to succeed, the attacker has to be able to modify RADIUS packets between the RADIUS client and server. Organizations which send packets over the Internet are most at risk.
For enterprises, if an attacker can modify packets inside of your network, they have already succeeded in a separate cyber attack to gain that access.
As with most security issues, your network is only as secure as the weakest link. It is therefore important to upgrade all equipment, even if you do not currently use RADIUS. Doing so will help prevent future attacks from succeeding.
The root cause of the attack is that in the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks. An attacker can modify these packets in a way which allows them to control who gets onto the network.
No.
Only some Access-Request packets are vulnerable. All EAP (802.1X) authentication is safe.
All Accounting-Request packets are safe. All CoA-Request and Disconnect-Request packets are safe.
All RADIUS over TLS (RadSec) is safe.
The exploit was first demonstrated by a group of cryptography researchers in February 2024. They reached out to Alan DeKok in early February in order to confirm the vulnerability, and the scope of the impact. Alan DeKok wrote the updated standards which all vendors have now implemented. The exploit became public on July 9, 2024.
To go a bit deeper, it has always been known that some Access-Request packets lack integrity checks. The first recorded statement we can find of someone mentioning this problem is by InkBridge CEO Alan DeKok, in November 1998. Alan also wrote RFC 5080 in 2007, which suggested that RADIUS clients should add integrity protection to all Access-Request packets, and that servers should drop packets which are missing integrity protection. These changes were added to FreeRADIUS in 2007, and made mandatory in FreeRADIUS Version 3.0.0, in 2013.
If all RADIUS implementations had followed the recommendations of RFC 5080, then this vulnerability would not exist.
We're Here to Help
Webinars
Sign up for our free webinar July 9th, 2024 at 9:00 EDT.
InkBridge CEO Alan DeKok and UCSD Professor Nadia Heninger will be discussing the BlastRADIUS issue, and what you need to do to keep your network safe. There will be time at the end of the webinar for questions. Once the webinar is over, recordings will be available. Register now
Follow on webinar July 9th 2024 at 14:00 EDT
This webinar will be with InkBridge CEO Alan DeKok, and will be more targeted to network administrators. There will be time at the end of the webinar for questions. Once the webinar is over, recordings will be available. Register now
Additional resources
See our main BlastRADIUS product page for full upgrade documentation, Excel worksheet, test tools, and support.
There is no need to develop last-minute "home grown" solutions when we can provide fact, efficient, and low-risk assistance. We were the first ones consulted about this issue, and we wrote the definitive guide that all vendors are following to fix the issue. If all of the network equipment vendors world-wide depend on us to help them, you can depend on us, too.