CVE-2024-3596
On July 9, 2024 researches announced a protocol level vulnerability in the RADIUS protocol with the ability of a man-in-the-middle attacker to spoof valid RADIUS messages. The vulnerability is referred to as BlastRADIUS and has assigned CVE-2024-3596
What is this vulnerability?
CVE-2024-3596 identifies RADIUS protocol (RFC 2865) being susceptible to allow modifying of responses from RADIUS servers. This vulnerability depends on using the MD5 hash function to pass undetected attribute forgery by simultaneously modifying RADIUS server Responses (Access-Accept, Access-Reject, or Access-Challenge). The attacker does not learn user credentials.
It primarily impacts RADIUS servers using non-EAP authentication methods over UDP. RADIUS/TLS (RadSec) is not susceptible as the TLS protects against the attacks. A RADIUS client is vulnerable if it does not require a Message-Authenticator attribute from every server response. It requires an online attack to be able to compute chosen-prefix MD5 collision attack in minutes or seconds as the RADIUS timeouts in 30-60 seconds. This, however, is not the case with RFC 2869 mandated Message-Authenticator attribute which is an HMAC-MD5 over the entire packet that could not be forged.
Impact of this vulnerability
Vulnerability impact varies based on the mix of infrastructure devices (RADIUS client), RADIUS servers and protocols implemented as follows:
Affected implementations are:
- Non-EAP based authentications such as PAP / CHAP / MS-CHAP
- and Communicating over UDP in the clear
- and Without Message-Authenticator in requests and responses
Unaffected implementations include:
- EAP based 802.1X Authentications
- or Protected over TLS such as RadSec
- or Require Message-Authenticator attribute from every server-client response
Impact to Juniper Mist Products
Access Assurance:
- Unaffected
- Mist APs / Juniper EX switches with Access Assurance are not affected, as RadSec is being used end-to-end encrypting all RADIUS traffic using TLS.
- Mist Edge Proxy IDP for eduroam is not affected, since eduroam only supports 802.1X/EAP which is not affected.
- 3rd party NAS clients via Mist Edge using 802.1X are not affected, as 802.1X/EAP is not affected by this vulnerability.
- Potentially Affected
- 3rd party NAS clients via Mist Edge using MAB / Device-Auth (PAP) are potentially affected in case 3rd party NAS Client is not sending Message-Authenticator attribute by default
Mist Access points:
- Unaffected
- Mist APs include the Message-Authenticator attribute in the Access-Request for all RADIUS authentications and are not vulnerable regardless of EAP type used.
EX Switches:
- Unaffected
- Junos switches include the Message-Authenticator attribute in the Access-Request for all RADIUS authentications and are not vulnerable.
- Potentially Affected
- For device authentication (management user login into CLI via RADIUS) – Junos does not include Message-Authenticator attribute and needs to be updated
Mist Edge:
- Potentially Affected – Fixes in progress
- The Mist Edge acts as a RADIUS Proxy and needs to be updated for the case when a 3rd party device does not include Message-Authenticator attribute for MAB authentications.
3rd party RADIUS server / NAS equipment:
- Potentially Affected
- RADIUS servers need to patch immediately against this vulnerability and set the configuration flags to require Message-Authenticator attributes, Please check with your RADIUS server vendor. Then upgrade NAS equipment/clients where possible.
Recommendations
While most Juniper Mist APs & Switches forward the Message-Authenticator attribute defined in RFC 2869 in the Access-Request and can prevent the spoofing of CHAP, ARAP or EAP Access-Request packets. However, it is recommended to follow the best practices to use RadSec, enable RADIUS traffic accounting. While this vulnerability also affects RADIUS clients, it is critical to update RADIUS servers with latest versions that mitigate the vulnerability as soon as available.
Additional Resources
- https://www.blastradius.fail/
- https://www.blastradius.fail/attack-details
- Vendor Guide