News: BlastRADIUS
Vulnerability discovered in RADIUS protocol
On 9 July 2024, a vulnerability in the RADIUS protocol was published that allows an attacker to manipulate RADIUS server responses and thus gain unauthorized access.
The vulnerability was discovered by researchers from Boston University, UC San Diego and Microsoft Research and is named BlastRADIUS. It exploits weaknesses in the cryptographic hash function MD5 in connection with properties of the RADIUS protocol. To give interested admins insight into the background of the vulnerability and its effects, we have created a video that explains the attack at a technical level.
The vulnerability explicitly does not affect eduroam. The specifications of the other protocols used in eduroam require that the countermeasures that pevent this attack are implemented.
Regardless of the current vulnerability, RADIUS should only be used within trusted environments, and outside of these should only be transmitted in encrypted form, e.g. with RADIUS/TLS (RFC 6614) or RADIUS/DTLS (RFC7360).
The DFN-Verein has been using RADIUS/TLS for the secure transmission of RADIUS packets to the eduroam federation infrastructure for many years.
Video – The background to the vulnerability and its effects
Further information
For further information, we have also created a collection of links to additional resources, advisories, etc:
- Website with vulnerability details: https://www.blastradius.fail/
- Researcher’s scientific paper: https://www.blastradius.fail/pdf/radius.pdf
- Resources from InkBridge Networks (previous NetworkRADIUS, company behind FreeRADIUS):
https://www.inkbridgenetworks.com/blastradius - Security Advisories from FreeRADIUS: https://www.freeradius.org/security/
- eduroam-Advisories: https://eduroam.org/eduroam-advisories/
- Entry in vulnerability database: https://kb.cert.org/vuls/id/456537