A newly discovered flaw in the RADIUS networking protocol has the industry recognizing that a standard set in 1997 is now in need of an upgrade — even while researchers warn that well-funded state-sponsored attackers can exploit the flaw to bypass multi-factor authentication (MFA) and gain network access.
…
The issue behind the flaw, which is being tracked as CVE-2024 3596 and VU#456537, is that Access-Request packets have no authentication or integrity checks. The researchers said an attacker can perform a chosen prefix attack, which lets an attacker modify the Access-Request to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability lets the attacker modify the response packet — almost at will.
“While some networking equipment vendors have released updates or patches to address the vulnerability, many haven’t,” said Ashley Leonard, chief executive officer at Syxsense. “Unfortunately, what we’re seeing with RADIUS is that it simply wasn’t designed with security in mind, given that it’s decades old now. This may be a sign that new, securer protocols need to be developed, but that takes time and resources, along with buy-in from hundreds of vendors. It won’t happen quickly, if it happens at all.”
For organizations using networking equipment that relies on the RADIUS protocol, Leonard said there are other mitigations security teams can take beyond a patch, for example:
- Enable Message-Authenticator: Many RADIUS implementations support this attribute (RFC 2869), which adds a cryptographic signature to RADIUS packets, thus making it much more difficult for an attacker to tamper with the authentication and authorization process.
- Deploy protocol updates: Switch to using transport-layer security (TLS) for traffic and extensible authentication protocol (EAP) for authentication.
