www.belgium.be Logo of the federal government

WARNING: A HIGH SEVERITY VULNERABILITY IS AFFECTING THE RADIUS PROTOCOL

Reference: 
Advisory #2024-107
Version: 
1.1
Affected software: 
RADIUS protocol (RFC 2865)
Type: 
Lack of authentication and integrity validation
CVE/CVSS: 

CVE-2024-3596
CVSSv3 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Risks

RADIUS is a popular lightweight authentication protocol used for networking devices. It is in wide-spread use to authenticate both users and devices. The protocol is also widely implemented in networking devices that span from basic network switches to more complex VPN solutions.

RADIUS has also been widely adopted by cloud services that provide tiered role-based access-control to resources.

The forgery attacks that this vulnerability allows have a HIGH impact on Confidentiality, Integrity and Availability.

Update:A PoC has also been now released, so active exploitation becomes more likely.

Description

CVE-2024-3596: Lack of authentication and integrity validation

This vulnerability is due to the lack of authentication and integrity validation with the RADIUS protocol. An attacker can exploit the weak cryptographic MD5 hash and forge authentication responses from a RADIUS server.

To exploit this vulnerability the attacker requires both view and modify access to RADIUS packets in transit (man-in-the-middle).

Any unencrypted RADIUS communication, particularly RADIUS over UDP and RADIUS over TCP, are vulnerable.

Recommended Actions

Mitigation

The Centre for Cybersecurity Belgium strongly recommends the following measures in order to mitigate the underlying risks of this vulnerability impacting the RADIUS protocol:

  • Verify with vendors that patches are available for any implementation of RADIUS used within your environment and ensure that all applicable systems are patched.
  • Do not use RADIUS over UDP or RADIUS over TCP.
    • USE RADIUS/TLS or RADIUS/DTLS to enforce confidentiality.
    • Ensure all network connections are authenticated and encrypted.
      • Use IPsec, TLS or MACsec (for Layer 2 communications).
  • Block all RADIUS traffic coming from internet facing systems.
  • Implement firewall rules to deny the unapproved flow of RADIUS packets to unintended network segments.
    • Block UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting at the perimeter firewall.
    • Enforce stricter timeouts on RADIUS connections (could be useful to detect exploitation attempts).
  • Consider using alternatives like Kerberos, IPSec certificate authentication, or TACACS+ protocols, depending on your use-case.

 

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion:

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References