Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
A group of researchers from several American universities and Cloudflare and Microsoft companies has developed a new attack technique on the RADIUS protocol used by telecom operators, cloud services, and VPN providers for user authentication, authorization, and accounting. The attack, which was codenamed Blast-RADIUS, makes it possible to fake the RADIUS server's response during authentication and organize a subscriber connection without knowing the access password.
To exploit the vulnerability (CVE-2024-3596), an attacker must be able to intercept transit traffic and conduct a full-fledged MITM attack that allows reading, intercepting, blocking, and modifying incoming and outgoing transit UDP packets sent by access points to request client authentication (Access-Request) and returned by the RADIUS server with confirmation or error. by rejecting the operation. After intercepting the authentication request, the attacker can send a dummy response, specifying a different type of result in this response (for example, Access-Accept instead of Access-Reject). An attacker can also potentially intercept the Access-Challenge response used for two-factor authentication and replace it with an Access-Accept response to bypass the additional verification step.
The attack is based on the fact that the RADIUS protocol uses UDP as a transport and verifies the integrity of transmitted messages using the MD5 algorithm. To verify messages sent between the access server and the RADIUS server, a secret key is used that is known to the access point and RADIUS server, but unknown to the attacker. In response to an authentication request, the RADIUS server generates an MD5 hash that the access server can use to verify that the message was sent by an authorized server. The MD5 hash includes the random value sent in the request, the request ID, the returned attributes, and the secret key.
An attacker can intercept the ID and random value passed in the request during a MITM attack, and can also predict the opcode, size, and attributes. The task is reduced to forming a correct verification hash, which would correspond to the changed result of the operation and pass verification through hashing using a secret key. The MD5 algorithm is not resistant to collision detection, which allows an attacker, by manipulating an irrelevant additional padding, to select a combination of data with the necessary parameters, the MD5 hash of which will match the MD5 hash of the original response, and send a dummy response with an authentication success code (Access-Accept) instead of a message with information about an error.
Since authentication and integrity checking are not applied when processing packets with an Access request, during an attack, the attacker can substitute an additional "Proxy-State" attribute in the original request from the access server, which will be reflected by the RADIUS server in its response. The content of the "Proxy-State" is selected taking into account the collision, so that the value of the verification MD5 hash in the real and fake responses will be identical. During the experiment, the MD5 collision search took 3-6 minutes to perform an attack, which is more than the typical timeout of 30-60 seconds, but the collision search time can be reduced by using more powerful hardware, using a GPU, and parallelizing operations.
As the main measure to protect against the vulnerability, it is proposed to use the EAP protocol (Extensible Authentication Protocol, RFC 3579), which uses the Message-Authenticator attribute for additional verification of messages. To protect against an attack, you can also use protocol extensions (RadSec) that enable the transmission of RADIUS messages through encrypted channels based on TLS or DTLS. You can also minimize the response timeouts and block responses with the Proxy-State attribute. Sending RADIUS messages over TCP complicates the attack, but it does not exclude it.
The code for conducting the attack has not yet been published in the public domain, but the hashclash project has received changes that improve the selection of collisions in MD5, taking into account the specifics of the attack. In the FreeRADIUS RADIUS server, the issue was fixed in releases 3.0.27 and 3.2.5 by enabling the mandatory use of the Message-Authenticator attribute and adding a setting to restrict processing of packets with the Proxy-State attribute.
To exploit the vulnerability (CVE-2024-3596), an attacker must be able to intercept transit traffic and conduct a full-fledged MITM attack that allows reading, intercepting, blocking, and modifying incoming and outgoing transit UDP packets sent by access points to request client authentication (Access-Request) and returned by the RADIUS server with confirmation or error. by rejecting the operation. After intercepting the authentication request, the attacker can send a dummy response, specifying a different type of result in this response (for example, Access-Accept instead of Access-Reject). An attacker can also potentially intercept the Access-Challenge response used for two-factor authentication and replace it with an Access-Accept response to bypass the additional verification step.
The attack is based on the fact that the RADIUS protocol uses UDP as a transport and verifies the integrity of transmitted messages using the MD5 algorithm. To verify messages sent between the access server and the RADIUS server, a secret key is used that is known to the access point and RADIUS server, but unknown to the attacker. In response to an authentication request, the RADIUS server generates an MD5 hash that the access server can use to verify that the message was sent by an authorized server. The MD5 hash includes the random value sent in the request, the request ID, the returned attributes, and the secret key.
An attacker can intercept the ID and random value passed in the request during a MITM attack, and can also predict the opcode, size, and attributes. The task is reduced to forming a correct verification hash, which would correspond to the changed result of the operation and pass verification through hashing using a secret key. The MD5 algorithm is not resistant to collision detection, which allows an attacker, by manipulating an irrelevant additional padding, to select a combination of data with the necessary parameters, the MD5 hash of which will match the MD5 hash of the original response, and send a dummy response with an authentication success code (Access-Accept) instead of a message with information about an error.
Since authentication and integrity checking are not applied when processing packets with an Access request, during an attack, the attacker can substitute an additional "Proxy-State" attribute in the original request from the access server, which will be reflected by the RADIUS server in its response. The content of the "Proxy-State" is selected taking into account the collision, so that the value of the verification MD5 hash in the real and fake responses will be identical. During the experiment, the MD5 collision search took 3-6 minutes to perform an attack, which is more than the typical timeout of 30-60 seconds, but the collision search time can be reduced by using more powerful hardware, using a GPU, and parallelizing operations.
As the main measure to protect against the vulnerability, it is proposed to use the EAP protocol (Extensible Authentication Protocol, RFC 3579), which uses the Message-Authenticator attribute for additional verification of messages. To protect against an attack, you can also use protocol extensions (RadSec) that enable the transmission of RADIUS messages through encrypted channels based on TLS or DTLS. You can also minimize the response timeouts and block responses with the Proxy-State attribute. Sending RADIUS messages over TCP complicates the attack, but it does not exclude it.
The code for conducting the attack has not yet been published in the public domain, but the hashclash project has received changes that improve the selection of collisions in MD5, taking into account the specifics of the attack. In the FreeRADIUS RADIUS server, the issue was fixed in releases 3.0.27 and 3.2.5 by enabling the mandatory use of the Message-Authenticator attribute and adding a setting to restrict processing of packets with the Proxy-State attribute.
