CVE-2024-3596: 
vulnerability analysis and mitigation

The RADIUS Protocol under RFC 2865 is susceptible to forgery attacks known as Blast-RADIUS (CVE-2024-3596). This vulnerability allows a local attacker who can perform a man-in-the-middle attack to modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature ([BLAST], [UCSD Research], [IETF Draft]).

The vulnerability stems from RADIUS protocol's use of MD5 for authentication checks, which has been known to be cryptographically insecure since 2004. The attack combines a novel protocol vulnerability with an MD5 chosen-prefix collision attack and several speed and space improvements. An attacker can inject a malicious attribute into a request that causes a collision between the authentication information in the valid server response and the attacker's desired forgery, allowing them to turn a reject into an accept and add arbitrary protocol attributes ([BLAST], [UCSD Research]).

Successful exploitation could lead to unauthorized access to network devices and services without requiring password knowledge, bypass of Multi-Factor Authentication (MFA) systems, and privilege escalation. The vulnerability affects various applications including enterprise networks, VPN access, ISPs for DSL and FTTH, 802.1X and Wi-Fi authentication, cellular roaming, and critical infrastructure authentication ([BLAST], [Palo Alto Advisory]).

Short-term mitigation requires mandating that clients and servers always send and require Message-Authenticator attributes for all requests and responses. For Access-Accept or Access-Reject responses, the Message-Authenticator should be included as the first attribute. The long-term solution is to use RADIUS inside an encrypted and authenticated channel such as TLS that offers modern cryptographic security guarantees. Organizations should check with their vendors for patches and follow best practices for RADIUS configuration ([BLAST], [Palo Alto Advisory]).

Over 90 vendors have been involved in a coordinated disclosure and have issued security bulletins. The IETF has begun work to standardize RADIUS over (D)TLS as a long-term solution. The vulnerability has been described as one of the largest and most complex vulnerability disclosure processes, highlighting a significant gap between those who deploy these protocols and those who study them ([UCSD Research]).