Episode 007: 07‐10‐2024 RADIUS in 2024 - GluuFederation/identerati-office-hours GitHub Wiki

Title: BlastRADIUS: It's time to upgrade the world.

Topic

The recent BlastRADIUS vulnerability has hit the world by storm. The impact is that every switch, router, VPN concentrator, access point controller, etc. world-wide has to be udpated. In this podcast, we interview Alan DeKok, the founder of FreeRADIUS and InkBridge Networks. Alan is acknowledged as the world expert in the RADIUS protocol, and was the first person that contacted when the researchers found the issue. We will discuss the history of the RADIUS protocol, this issue, and what vendors and system administrators have to do in order to address the vulnerability. In short, don't panic! Listen to the podcast, and you will find out what to do.

Summary of Attack

blast-radius

MD5 Collission

md5-collision

Homework

Takewaways

  • In the days before the ubiquity of TLS, failure to implement message integrity in this protocol opened the door for this attack. It wasn't seen as problematic at the time because the password hash prevented exposure. But if the response can be tampered, the attacker could re-write a predictable REJECT response, bypassing the need to authenticate.

  • BlastRADIUS is a hard attack to execute, but possible if the attacker has broken into a router or switch. It needs to be patched to prevent escalation.

  • Because its a protocol-level vulnerability, the client software, server software and configuration need to updates. Connection resets may need to occur. Enterprises will need to carefully plan this upgrade to avoid outages. Great example of how the cost of doing things right the first time is so much less then fixing them after 100M people a day are using some mission critical infrastructure.

  • FreeRADIUS has a huge freeloader problem. Too many large enterprises won't even pay a nominal amount to help maintain the software on which their businesses depend. Perhaps it's time for FreeRADIUS to put all enterprise features behind a paywall? Security vulnerabilties like BlastRADIUS can help shine light on the criticality of such open source infrastructure.

Photo of Ascend Max 4000

image

In 1995, Ascend provided RADIUS source code to ISPs using their hardware for analog dial-up and ISDN. Mike and his friends ran such an ISP in the mid 90s!

Audio

here

Why is this episode 7? Episode 7 got cancelled. It was convenient to use that number rather then call this episode 28.5!