Getty Images

A recent discovery revealed that one of the most prevalent network protocols is susceptible to a novel exploit that can grant unauthorized access to various environments, encompassing industrial controllers, telecommunication services, ISPs, and diverse enterprise networks.

Abbreviated for Remote Authentication Dial-In User Service, RADIUS traces its roots back to the era of dial-up Internet and network connectivity via public switched telephone networks. Since then, it has retained its position as the standard for lightweight authentication and is integrated into almost all switches, routers, access points, and VPN concentrators manufactured in the last twenty years. Despite its early inception, RADIUS remains an indispensable tool for overseeing client-server interactions regarding:

  • VPN accessibility
  • DSL and Fiber to the Home linkages provided by ISPs,
  • Wi-Fi and 802.1X validation
  • 2G and 3G cell roaming
  • 5G Data Network Name validation
  • Mobile data offloading
  • Validation across private APNs for establishing connections between mobile devices and corporate networks
  • Validation for critical infrastructure management devices
  • Eduroam and OpenRoaming Wi-Fi

RADIUS ensures a seamless connection between clients—commonly routers, switches, or similar appliances that offer network access—and a central RADIUS server, which operates as the guardian for user authentication and access guidelines. The primary objective of RADIUS is to coordinate centralized authentication, authorization, and accounting management for remote logins.

Initially formulated in 1991 by a firm named Livingston Enterprises, RADIUS was acknowledged as an official standard by the Internet Engineering Task Force in 1997, with subsequent updates three years later. While some vendors support a draft proposal advocating the transmission of RADIUS traffic within a TLS-encrypted session, many devices employing the protocol merely dispatch packets openly via UDP (User Datagram Protocol).

XKCD

A more detailed illustration of RADIUS using Password Authentication Protocol over UDP.
Enlarge / A more detailed illustration of RADIUS using Password Authentication Protocol over UDP.

Goldberg et al.

Do-it-yourself validation using MD5? Seriously?

Since 1994, RADIUS has implemented an improvised, original usage of the MD5 hash function. Initially conceived in 1991 and embraced by the IETF in 1992, MD5 essentially served as a prevalent hash function for creating “message digests” translating diverse inputs such as numbers, text, or binary files into a fixed 16-byte output.

For a cryptographic hash function, the emergence of two inputs producing the same output should be computationally infeasible for an attacker. However, MD5’s structural weaknesses came to light fairly quickly: Signs indicated that the function might be more prone to attacker-induced collisions than initially perceived, permitting assailants to formulate two distinct inputs generating identical outputs. These doubts were formally confirmed in a publication released in 2004 by researchers Xiaoyun Wang and Hongbo Yu, and refined further in a study published three years subsequently.

The latter study—presented in 2007 by researchers Marc Stevens, Arjen Lenstra, and Benne de Weger—outlined what is termed a chosen-prefix collision, a collision variant where two messages chosen by an attacker, amalgamated with two additional messages, yield identical hashes. In essence, the adversary freely designates two distinctive input prefixes 𝑃 and 𝑃′ of arbitrary content, which, when combined with corresponding suffixes 𝑆 and 𝑆′ resembling random characters, yield the same hash. Symbolically, this chosen-prefix collision materializes as 𝐻(𝑃‖𝑆)=𝐻(𝑃′‖𝑆′). This collision methodology empowers the attacker to fabricate highly personalized forgeries.

To underscore the practicality and cataclysmic outcomes of the exploit, Stevens, Lenstra, and de Weger utilized it to devise two cryptographic X.509 certificates producing identical MD5 signatures while differing in public keys and Distinguished Name assemblages. Such a collision could deceive a certificate authority that intends to validate a certificate for a specific domain into inadvertently endorsing a certificate for an entirely distinct, malevolent domain.

In 2008, a consortium of researchers, inclusive of Stevens, Lenstra, and de Weger, showcased how a chosen prefix assault on MD5 enabled them to form a rogue certificate authoritythat has the capability to produce TLS certificates that would be recognized by all major browsers. An essential element for this attack is a tool called hashclash, which was created by the researchers. This hashclash tool has now been made publicly accessible.

Even though MD5 has unquestionably become obsolete, it continued to be widely used for several years. The phase-out process of MD5 didn’t really start until 2012 when a malicious software named Flame, which was allegedly jointly developed by the governments of Israel and the US, was discovered to have utilized a chosen prefix attack to deceive the MD5-based code signing used by Microsoft’s Windows update system. The Flame malware exploited this collision-enabled deception to manipulate the update system, enabling the malware to propagate across devices within a compromised network.

More than a decade after the destructive impact of Flame was exposed and almost twenty years since collision vulnerability was established, MD5 has led to the downfall of another extensively used technology that had defied conventional wisdom to transition away from this hashing algorithm—the RADIUS protocol, which is supported by hardware or software from at least 86 different vendors. The outcome is what is known as “Blast RADIUS,” a sophisticated attack that enables a malicious actor with a live adversary-in-the-middle position to obtain administrative privileges on devices utilizing RADIUS for authentication with a server.

“Surprisingly, despite the two decades that have passed since Wang et al. showcased an MD5 hash collision in 2004, the RADIUS protocol has not been updated to eliminate the usage of MD5,” stated the research team behind Blast RADIUS in a document released on Tuesday titled RADIUS/UDP Considered Harmful. “Interestingly, RADIUS seems to have received insufficient scrutiny in terms of security, considering its prevalence in contemporary networks.”

The release of this document is being timed alongside security alerts from over 90 vendors whose products are at risk. Many of these alerts are accompanied by software patches that implement immediate fixes, as a coalition of engineers from various sectors collaborates on developing long-term solutions. Individuals utilizing hardware or software incorporating RADIUS are advised to review the technical information provided later in this article and consult with the manufacturer for security recommendations.