Alert - RADIUS Protocol Susceptible to Forgery Attacks

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

The Cyber Centre is aware of industry research regarding a recent vulnerability^{Footnote 1Footnote 2} impacting the RADIUS protocol (CVE-2024-3596) – a common authentication, authorization and accounting network protocol used for managing network accesses. The vulnerability could allow a person-in-the-middle threat actor to authenticate themself to a victim’s system or deny authentication to legitimate users.

RADIUS is a popular lightweight authentication protocol used for networking devices. It is in wide-spread use to authenticate both users and devices. The protocol is also widely supported by networking devices from basic network switches to more complex VPN solutions. RADIUS has also been adopted in much of the cloud services that provide tiered role-based access-control to resources. As a client-server protocol, RADIUS uses a Request-Response model to verify authentication requests and further provide any role-based access using Groups. It can also be proxied to support multi-tenant roaming access services.

This vulnerability is due to the lack of authentication and integrity validation with the RADIUS protocol. An adversary could exploit the weak cryptographic hash MD5 and forge authentication responses from a RADIUS server.

As of 9 July 2024, the Cyber Centre is not aware of this vulnerability having been exploited.

A malicious actor wanting to exploit this vulnerability would require both view and modify access to RADIUS packets in transit (man-in-the-middle). Any unencrypted RADIUS communication particularly RADIUS over UDP and RADIUS over TCP would be vulnerable.

This Alert is being published to raise awareness of this vulnerability, to highlight the potential impact to organizations and to provide guidance for organizations who may be targeted by related malicious activity.

Suggested actions

The Cyber Centre strongly recommends that:

• Verify with vendors that patches are available for any implementation of RADIUS used within an environment and ensure that all applicable systems are patched.
• Do not use RADIUS over UDP or RADIUS over TCP.
  • Recommend using RADIUS/TLS or RADIUS/DTLS to enforce confidentiality on communications.
  • Ensure all network connections are authenticated and encrypted. Consider using IPsec, TLS or MACsec (for Layer 2 communications)^{Footnote 3}.
• Block all RADIUS traffic from internet facing interfaces.
  • Do not send unsecured RADIUS traffic over local or Internet networks.
• Implement firewall rules to deny the unapproved flow of RADIUS packets to unintended network segments.
  • Block UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting at the perimeter firewall.
• Ensure physical security of all network devices by implementing measures to prevent unauthorized physical access to networking devices and cabling infrastructure.
• Enforce stricter timeouts on RADIUS connections as an additional mitigation to the malicious activity.
  • This could also be used as a detection parameter for signatures to detect exploitation attempts.
• Consider alternatives to the RADIUS protocol.
  • Where possible Kerberos, IPSec certificate authentication, or TACACS+ protocols depending on the use-case being considered.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions )^{Footnote 4} with an emphasis on the following topics:

• Consolidate, monitor, and defend Internet gateways.
• Patch operating systems and applications.
• Harden operating systems and applications.
• Segment and separate information^{Footnote 5}.

The Cyber Centre wishes to highlight that mitigation efforts resulting from the compromise of systems by competent threat actors may require more than simply mitigating individual issues, systems and servers. The Cyber Centre recommends affected customers review the Cyber Centre joint cybersecurity advisory on technical approaches to uncovering and remediating malicious activity ^{Footnote 6}.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Additional resources

• Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)
• User authentication guidance for information technology systems (ITSP.30.031 v3)
• Wi-Fi Security (ITSP.80.002)
• Baseline cyber security controls for small and medium organizations
• Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information - ITSP.40.111
• Obsolete products - ITSAP.00.095