Alert - RADIUS protocol susceptible to forgery attacks - Update 1

Number: AL24-009
Date: July 9, 2024

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

The Cyber Centre is aware of industry research regarding a recent vulnerabilityFootnote 1Footnote 2 impacting the RADIUS protocol (CVE-2024-3596) – a common authentication, authorization and accounting network protocol used for managing network accesses. The vulnerability could allow a person-in-the-middle threat actor to authenticate themself to a victim’s system or deny authentication to legitimate users.

RADIUS is a popular lightweight authentication protocol used for networking devices. It is in wide-spread use to authenticate both users and devices. The protocol is also widely supported by networking devices from basic network switches to more complex VPN solutions. RADIUS has also been adopted in much of the cloud services that provide tiered role-based access-control to resources. As a client-server protocol, RADIUS uses a Request-Response model to verify authentication requests and further provide any role-based access using Groups. It can also be proxied to support multi-tenant roaming access services.

This vulnerability is due to the lack of authentication and integrity validation with the RADIUS protocol. An adversary could exploit the weak cryptographic hash MD5 and forge authentication responses from a RADIUS server.

As of 9 July 2024, the Cyber Centre is not aware of this vulnerability having been exploited.

A malicious actor wanting to exploit this vulnerability would require both view and modify access to RADIUS packets in transit (man-in-the-middle). Any unencrypted RADIUS communication particularly RADIUS over UDP and RADIUS over TCP would be vulnerable.

This Alert is being published to raise awareness of this vulnerability, to highlight the potential impact to organizations and to provide guidance for organizations who may be targeted by related malicious activity.

Update 1

16 August 2024 - The Cyber Centre has revised this Alert to better align with industry recommendations.

Suggested actions

The Cyber Centre strongly recommends:

  • Verify with vendors that patches are available for any implementation of RADIUS used within an environment and ensure that all applicable systems are patched.
  • Configure RADIUS clients and servers to always send and validate Message-Authenticator attributes for all requests and responses, as when using the Extensible Authentication Protocol (EAP)
  • Use RADIUS within an encrypted and authenticated channel.
    • Use RADIUS/TLS or RADIUS/DTLS.
    • Consider tunnelling RADIUS traffic through IPsec or MACsec if feasibleFootnote 3.
  • Block all RADIUS/UDP and RADIUS/TCP traffic from internet facing interfaces.
    • Do not send unsecured RADIUS traffic over local or Internet networks.
  • Implement firewall rules to deny the unapproved flow of RADIUS packets to unintended network segments.
    • Block UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting at the perimeter firewall.
  • Ensure physical security of all network devices by implementing measures to prevent unauthorized physical access to networking devices and cabling infrastructure.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions )Footnote 4 with an emphasis on the following topics:

  • Consolidate, monitor, and defend Internet gateways.
  • Patch operating systems and applications.
  • Harden operating systems and applications.
  • Segment and separate informationFootnote 5.

The Cyber Centre wishes to highlight that mitigation efforts resulting from the compromise of systems by competent threat actors may require more than simply mitigating individual issues, systems and servers. The Cyber Centre recommends affected customers review the Cyber Centre joint cybersecurity advisory on technical approaches to uncovering and remediating malicious activity Footnote 6.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Additional resources

Date modified: