BlastRADIUS Neutralized: Experts at InkBridge Networks Provide Fix for Critical Network Vulnerability

“The RADIUS protocol is a foundational element of most network access systems worldwide. As of July 9, nearly all of these systems are no longer secure. The discovery of the BlastRADIUS issue means that network technicians must install firmware upgrades on every device involved in network security, identity, and authentication,” explains Alan DeKok, CEO of InkBridge Networks and one of the foremost experts on RADIUS servers. “We believe that Internet service providers, enterprises, and most cloud identity providers are likely to be affected by this issue.”  

DeKok was the RADIUS expert consulted when this issue was discovered. He and the team at InkBridge Networks have published an updated version of  FreeRADIUS to address this issue, which is available at https://freeradius.org and https://packages.inkbridgenetworks.com. FreeRADIUS is the world’s most popular RADIUS server. Users of RADIUS servers from other providers should reach out to their vendor.  

To protect businesses from BlastRADIUS, “every network switch, router, firewall, VPN concentrator, access point, and DSL gateway worldwide needs to be updated to add integrity and authentication checks for these packets,” says DeKok. Network administrators will need to download the update and modify their configuration settings.  

For businesses, universities, cloud service providers and Internet service providers using RADIUS, this issue must be addressed in order to secure network access. The vulnerability is a “man-in-th​e-middle” (MitM) cyber attack which can be leveraged to gain additional access. If this vulnera​bility is exploited, unauthorized users could gain access to the network and falsely authenticate users and grant authorizations.   

DeKok says BlastRADIUS allows an attacker to exploit certain RADIUS packets. “The RADIUS protocol allows certain Access-Request messages to have no integrity or authentication checks. As a result, an attacker can modify these packets without detection. The attacker would be able to force any user to authenticate, and to give any authorization (VLAN, etc.) to that user.”  

As a result of various security analyses, this issue is now deemed critical.  While the vulnerability can difficult to exploit, the possible impact of an exploit is substantial. 

What systems are at risk from BlastRADIUS?  

“Specifically, PAP, CHAP, and MS-CHAPv2 authentication methods are the most vulnerable,” DeKok explains. “ISPs will have to upgrade their RADIUS servers and networking equipment. Anyone using MAC address authentication, or RADIUS for administrator logins to switches is vulnerable. Using TLS or IPSec prevents the attack, and 802.1X (EAP) is not vulnerable.”  

For most enterprises, the attacker would already need to have access to the management VLAN (virtual local area network). Internet service providers (ISPs) can be vulnerable if they send RADIUS traffic over intermediate networks, such as third-party outsourcers, or the wider Internet. Some uses of RADIUS are safe, including eduroam and the Wireless Broadband Alliance’s OpenRoamingTM framework.  

What’s vulnerable to Blast RADIUS  

• PAP  
• CHAP  
• MS-CHAPv2  
• Other non-EAP authentication methods

Systems that are not deemed vulnerable  

• 802.1x  
• IPSec  
• TLS  
• Eduroam  
• OpenRoamingTM  

DeKok and his team also maintain the open-source FreeRADIUS project and participate in the IETF standards development. He wrote the initial paper which defined how vendors should update their equipment to protect from this attack.  He is also writing the RADIUS standards which will include those recommendations. The updated standards will address this new vulnerability along with other RADIUS security issues.  

Take action to protect businesses from BlastRADIUS  

1. For networking equipment, install any firmware update that is available from your network equipment vendor.  Also, follow the vendor documentation to configure the updated firmware, otherwise, you may still be vulnerable. 
2. FreeRADIUS updates for the BlastRADIUS vulnerability are available for download at InkBridge Networks https://packages.inkbridgenetworks.com and FreeRADIUS https://freeradius.org.  
3. DeKok and InkBridge Networks will host a webinar on Tuesday, July 9th 2024 at 9:00 AM (EDT) to discuss the implications and solutions to BlastRADIUS. Sign up here to attend or receive the recording.  
4. A second webinar will be hosted later in the day Tuesday, July 9th 2024 at 14:00 (EDT) Sign up here to attend or receive the recording.  
5. InkBridge Networks offers documentation and an audit service that will assess a system’s exposure to BlastRADIUS and other network infrastructure issues. Review those options here. https://inkbridgenetworks.com/blastradius 
6. For background about the BlastRADIUS vulnerability, visit the BlastRADIUS information page at https://inkbridgenetworks.com/blastradius/faq  

About InkBridge 

InkBridge Networks engineers, supports, and installs foundational network solutions for authentication and network security. The core team at InkBridge Networks founded and continues to maintain the open-source FreeRADIUS Project, the world’s most popular RADIUS server, supporting 100s of millions of users every day.  

Formerly known as Network RADIUS, the company has an international team of network access architects and engineers with decades of experience providing complex, low-risk network solutions, including RADIUS, DHCPv4, DHCPv6, TACACS+, and DNS. Mancala Networks provides solutions engineering, support packages, consulting, and training optimized for mid-size to large enterprises, Internet service providers and universities. Mancala products are used by OEM vendors as the basis for nearly all available RADIUS solutions. 

Follow us:  

LinkedIn Alan DeKok  

LinkedIn InkBridge Networks  

X @InkBridgeNTWRKS 

Facebook InkBridge Networks 

Instagram @alandekok  

Instagram @InkBridgeNetwo​rks