colinhay3sJul 10, 2024
Matthew Green
Very sophisticated attack against the RADIUS protocol that uses flaws in the protocol as well as a novel variant of the MD5 chosen prefix collision. Cryptography from the 90s never goes away! https://www.blastradius.fail/attack-details
BLAST RADIUS

Jul 9, 2024 at 8:44pmWeb
Show threadMatthew GreenJul 9, 2024

I was under the impression that RADIUS was some ancient protocol nobody used anymore (I remember it being big in the 90s dialup ISP infrastructure.) But of course it never went away and now it’s deployed for all sorts of decentralized auth: think VPNs and WiFi.

So like all 90s crypto it doesn’t use modern cryptographic methods (which in fairness, barely exists.) Authentication is done with a challenge/response protocol that builds a “MAC” in some ad-hoc way using MD5. An MITM attacker between client and server can forge this.

Show threadMatthew GreenJul 9, 2024
Anyway: the important story here is not just the cool attack, but the fact that it really, really matters. How do you fix a protocol that’s fundamentally broken but that secures huge (and surprising) amounts of infrastructure, when most experts have forgotten it exists?
Show threadMatthew GreenJul 9, 2024
And before you say “meh it’s just some WiFi and commercial VPNs,” ask yourself: what protocols do you think are being used to secure oil pipeline controllers?
Show threadWinni NeessenJul 9, 2024
@matthew_d_green I'm pretty sure that most, if not all ISPs that offer home internet (like DSL) authenticate via RADIUS as well.
Show threadGary ParkerJul 9, 2024
@matthew_d_green if you’re using Duo MFA with an auth proxy, guess what protocol you’re using to talk to the AD 😉
Show thread(hic/haec/hoc)Jul 9, 2024
@matthew_d_green all networking devices that don't use local, never changing passwords (assuming they're not using the default ones) use RADIUS. In theory the authentication traffic should go through separated, secure networks, but "in theory" is doing a lot of work here.
Show threadMarsh RayJul 9, 2024
@_hic_haec_hoc @matthew_d_green It's been a long time, but it used to be that many such devices could be configured to use LDAP/TLS as an auth protocol.
It seemed like a hack to me at the time, but they seem to have aged much better than these custom UDP-based creations.
Show thread(hic/haec/hoc)Jul 9, 2024
@marshray @matthew_d_green maybe some newer, high-end devices support LDAP, but your run-of-the-mill switch or router most likely doesn't. And RADIUS has been so widely deployed and for so long that there's a very large cost to changing to a different protocol even assuming all the devices support it
Show threadGorgeous na Shock!Jul 9, 2024
@_hic_haec_hoc @marshray @matthew_d_green Yeah, I work at an ISP (and also have a lot of network gear at home) and everything is RADIUS and TACACS. 😌
Show threadJPJul 9, 2024

@matthew_d_green even many cell networks may still use it (less likely and limited networks for that, but still)

and *many* cloud-based hosted AAA + account solutions use it, as used by residential and other ISPs

(Not offhand sure how many do push for encrypted radius but the ones I do know about largely don’t - worth me doing a survey on this sometime I guess)

Show thread🆘Bill Cole 🇺🇦Jul 10, 2024
@matthew_d_green I help support an environment using Cisco gear for about a dozen small biz VPNs and all of our 2FA (TOTP) is done using RADIUS. The same RADIUS server provides the tacked-on 2FA for our webmail system. I suspect that nearly all cases of TOTP-based 2FA deployed as an add-on to pre-existing simple authentication use RADIUS.
We put all the RADIUS traffic on a dedicated VLAN with non-routable addresses so it would be quite hard to MitM, but I doubt that’s the norm.
Show threadSteve SyfuhsJul 9, 2024
@matthew_d_green I can say with certainty as the idiot that said "yes I can kill NTLM" that there is no way you fix the old protocols. You kill the protocols with fire.
Show threadtimJul 9, 2024

@SteveSyfuhs @matthew_d_green RADIUS is a lot like HTTP.

It has secure transports (RADIUS/TLS aka RadSec), it offers user authentication directly which you shouldn't use anymore, and it can also encapsulate other secure authentication protocols (aka EAP).

There is nothing wrong with RADIUS/TLS (or /DTLS) + EAP, and it will continue to be used for decades to come.

Show threadSteve SyfuhsJul 9, 2024
@timcappalli @matthew_d_green I don't believe the TLS form is ratified in a spec. There are also a bunch of EAP forms by vendor and it's unclear if all of them are unaffected or just some of them. They all have different message encapsulations on the wire.
Show threadtimJul 9, 2024

@SteveSyfuhs @matthew_d_green there should be no TLS-based EAP methods affected by this (and those are the only ones that should be used).

Also, RADIUS/TLS has been standardized since 2012 (sure it's experimental status still, but it is widely implemented and proven interoperable).

Show threadChristoph PetrauschJul 10, 2024
@timcappalli @SteveSyfuhs @matthew_d_green then maybe lift it from.the experimental state after 12 years?
Show threadtimJul 10, 2024
@hikhvar @SteveSyfuhs @matthew_d_green it would have little to no real impact at this point. It is widely deployed.
Show threadChrISSPJul 10, 2024
@timcappalli @SteveSyfuhs @matthew_d_green Are you sure about that? Paper seems more dubious: "The TLS in EAP-TLS protects the EAP traffic but not the RADIUS packets that carry the EAP traffic, which are still transmitted over UDP in the clear. In theory, depending on implementation decisions made by the RADIUS client and server, our attack could work against RADIUS even when clients use EAP-TLS for authentication." Sure, if you're using RADSEC then you're fine but most orgs I know are using EAP-TLS or some variant (EAP-TTLS, EAP-TEAP etc) over standard RADIUS and that's a concern.
Show threadJoshua SmallJul 9, 2024
@SteveSyfuhs @matthew_d_green Ironically the only thing that still breaks out of the box if you disable NTLMv1 on a domain is Microsoft NPS doing RADIUS.
Show threadSteve SyfuhsJul 9, 2024
@jsmall @matthew_d_green that's not strictly true. It breaks MSCHAP usage. NPS will still use certificates for RADIUS auth just fine.
Show threadJoshua SmallJul 9, 2024
@SteveSyfuhs @matthew_d_green Well yep, that's the use case I was meaning.
Show threadlightspeedJul 9, 2024

@matthew_d_green Different but somewhat related issue:

https://xkcd.com/2347/

Dependency

xkcd
Show threadCMDR Yojimbosan 🅅⁂Jul 9, 2024

@matthew_d_green Only a year ago I found a reasonably mature IdP-as-a-service offering RADIUS, who only published a DNS name for their service and didn't employ DNSSEC.

Given that the standard use case for RADIUS is to send "here's a username and password, do you think they're OK?", being able to verify who you are talking to seems pretty important.

And that's before you even think about the protocol itself ...

Show threadDan RileyJul 9, 2024
@matthew_d_green RADIUS still gets used in a lot of situations where the developers don't want to deal with the LDAP stack. Sometimes due to hardware constraints, other times because there's a RADIUS module that's easier to use than the corresponding LDAP one.
Show threadslashJul 10, 2024

@matthew_d_green Yep. Still used. Cisco created TACACS and TACACS+ to replace it, but they are no more secure than RADIUS. Or IPMI, for that matter.

Part of the problem is the protocol, but the other part is the WiFi. Since the owners of WiFi(after 6 failed attempts) still refuse to get public review of their code, we'll *never* have secure WiFi.

Show threadTony “Abolish ICE” Arcieri🌹🦀Jul 10, 2024

@agreeable_landfall @matthew_d_green TACACS+ (ab)uses MD5 as a stream cipher in a naive construction that’s trivially vulnerable to known plaintext attacks (i.e. can recover cipher’s internal state using KPA), oh and the protocol also makes KPAs pretty easy

https://www.openwall.com/articles/TACACS%2B-Protocol-Security

An Analysis of TACACS+ Protocol Security

Show threadslashJul 10, 2024

@matthew_d_green I have two rules for computers. Never use a machine you don't have root on, and never run code you don't have source for.

You rarely need either, but when you do, nothing else will solve the problem.

Show threadTony “Abolish ICE” Arcieri🌹🦀Jul 10, 2024
@matthew_d_green RADIUS is still used quite but largely as a protocol/message format and not for cryptographic security, which is provided by augmenting RADIUS with EAP-(T)TLS with TLS providing the actual security
Show threadtoadjauneJul 9, 2024

@matthew_d_green yeah, in the ecosystem of network access control, radius is basically the one standard that you'll find everywhere.

WPA2-enterprise (802.1x) ? Any kind of client identity check on an ethernet port somewhere ?
You can reasonably bet that it's talking radius to its authentication server, you'd probably be right in like 90% of cases.

(kind of how ldap is supported everywhere and not dying anytime soon)

Show threadtoadjauneJul 9, 2024

@matthew_d_green worse even, there's quite a bit of radius over the internet.

Consider Eduroam (federated network access for students across many universities across the world)
Whenever you authenticate to a network that's not yours, the local radius server queries your university's radius over the Internet.

(At least client creds are supposed to transit in a proper TLS tunnel if everything is configured properly, but many clients aren't, and probably many servers too)

Show threadtoadjauneJul 9, 2024

@matthew_d_green not sure how much it's still used inside ISPs, or cellular networks.

It is my understanding that a lot of cellular neworks have moved to diameter, but well, I really have no idea how much of the actual infra that actually concerns

Show threadtoadjauneJul 10, 2024
@matthew_d_green also good to note that afaict, EAP uses are not affected, and it's possible to encapsulate radius in TLS (sometimes called RadSec), in which case, the radius broken cryptography shouldn't matter