BlastRADIUS Vulnerability (CVE-2024-3596) Exposes RADIUS Protocol to Critical Network Security Risk

A newly identified vulnerability (CVE-2024-3596), dubbed “BlastRADIUS,” has been discovered in the RADIUS protocol, posing a critical risk to network security. Researchers from the University of California, San Diego, have published a practical exploit for this flaw, marking the first successful demonstration of an attack against the RADIUS protocol. The FreeRADIUS Server Project has promptly responded with guidance and updates to mitigate this significant threat.

Nature of the Attack

  • The attack exploits a fundamental design flaw in the RADIUS protocol.
  • All standards-compliant RADIUS clients and servers are likely vulnerable.
  • Classified as a Man-in-the-Middle (MITM) attack, it requires the interception and modification of Access-Request packets.

Mitigation Measures

The FreeRADIUS Server Project has provided the following recommendations to secure systems:

Immediate Configuration Changes

  • Enable require_message_authenticator = true in all client definitions.
  • This flag has been available since version 3 but was not enabled by default.
  • Ensures systems using FreeRADIUS are not vulnerable to the BlastRADIUS attack.
These settings can be applied globally or to individual client definitions for comprehensive protection.

Specific Measures for NAS and Proxy Clients

  • For NAS clients (non-proxy devices): Update client definitions to include limit_proxy_state = yes.
  • For proxy clients (other RADIUS servers): Ensure the require_message_authenticator attribute is present in all Access-Request packets and upgrade other RADIUS servers to prevent the attack.

Conclusion

The discovery of CVE-2024-6387 underscores the importance of diligent cybersecurity practices and the necessity of safeguarding and continuously monitoring systems. Organizations must act promptly to patch vulnerable systems and strengthen their security posture to mitigate the risks associated with this severe vulnerability.

Recommendations

While the BlastRADIUS vulnerability (CVE-2024-3596) requires a man-in-the-middle position, implying a network may already be compromised if exploited, immediate action is crucial. FreeRADIUS users are advised to implement the recommended configuration changes and stay updated with the latest security guidance to protect their networks.

Share This: