» ISP News » 
Sponsored Links

Network Operators and UK ISPs Warned of BlastRADIUS Vulnerability

Tuesday, Jul 9th, 2024 (3:35 pm) - Score 1,840
Encrypted Computer Data

A new critical security vulnerability has been discovered in the popular RADIUS network authentication protocol, which is used by networks across the world to help users connect with their services (i.e. everything from broadband ISPs to VPNs, mobile operators and more) and thus could leave them exposed to Man-in-the-Middle (MitM) style attacks.

The vulnerability, which has been dubbed BlastRADIUS by InkBridge Networks (FreeRadius), appears difficult to exploit. But its impact could still be significant if network operators and network administrators who use RADIUS don’t patch their software and devices to protect against the new threat.

NOTE: RADIUS might not be as visible as protocols like HTTP (web) to end-users, but it is a foundational protocol that almost everyone uses at some level to access the internet.

The vulnerability is said to stem from a thirty-year-old design flaw in the RADIUS protocol (i.e. some Access-Request packets are not authenticated and lack integrity checks) and exploiting this “allows an attacker to authenticate anyone to your local network“, which is obviously not good. Suffice to say that it’s been given a Common Vulnerability Score (CVSS) of 9 out of 10, which is extremely high.


However, in order for such an attack to succeed, the attacker has to be able to modify RADIUS packets between the RADIUS client and server. But, even if they did that, such attacks would still be costly and likely to “take a significant amount of cloud computing power to succeed” (catch – those with more resources may still consider it viable to do, such as if the target is to steal credit card data for financial gain etc.).

Statement by FreeRadius

The attack is hard, because it is a “man in the middle” attack, which means that the attacker has to be able to both see, and modify Access-Request packets. If the attacker can do that, then your network is already compromised.

Even better, the attack requires substantial CPU resources to do i.e. $1000 of CPU power per packet being attacked, and the attack isn’t even guaranteed. There is also no public exploit available for “script kiddies” to run. It is extremely unlikely that anyone other than nation-states have the capability to perform the attack at this time.

However, if you are running PAP / CHAP / MS-CHAP and RADIUS/UDP over the Internet, then your users have likely been compromised for decades. There is little more we can say about that.

In order to fully protect your systems from the attack, you must update all RADIUS servers, and all RADIUS clients. The attack relies on a design flaw in the protocol. Fixing it requires updating all RADIUS implementations to the new behavior. In many cases, you do not need to panic and upgrade everything immediately. See below for more details.

Even considering the limited nature of the attack, everyone should plan on installing all firmware updates for each NAS device (including switches, routers, firewalls, VPN concentrators, etc.) which uses RADIUS. The important thing in the short term is to upgrade the RADIUS servers, determine if your network is still vulnerable, and then take action to address those vulnerabilities.

At present there is only a proof-of-concept exploit for this that has been developed by the researchers and the exploit itself is not yet publicly available. Credits to Thinkbroadband for spotting.

NOTE: Systems that are NOT deemed vulnerable to this include 802.1x, IPSec, TLS, Eduroam and OpenRoaming. But those deemed vulnerable include PAP, CHAP, MS-CHAPv2 and other non-EAP authentication methods.
Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
6 Responses
  1. Avatar photo anon says:

    there’s another big SSH vulnerability, and a UEFI one too.
    sigh. looks like im going to be busy.

    1. Avatar photo 10BaseT says:

      no, SSH is not big it is rather small affecting 32bit systems and the patch is already in place. Same panic as with blastradius that can be used in very specific environment at a huge cost. I know nothing about remote in UEFI.

    2. Avatar photo anon says:

      im not talking about the one you’re referencing. You’re talking about RegreSSHion
      i’m talking about CVE-2024-6409.

    3. Avatar photo 10BaseT says:

      So yeah, read carefully from proper sources. Bug has been activated in OpenSSH by Redhat applying their patch on it and it is affecting RH9 only – it is not present elsewhere not even in Fedora. It is being investigated at the moment.

  2. Avatar photo Anon says:

    Bit of a non-issue as radius servers are often within management networks hidden away in a VRF and not public facing.

    1. Avatar photo MikeP says:

      Indeed. And everything about the RADIUS protocol always screamed “keep this on its own private network”. It’s encryption, or rather obfuscation, of creds was enough to say “don’t let this near the public internet”.

      If you’ve got a MITM in your management network, RADIUS getting cracked is the least of your problems. The biggest one is the vector that got it there in the first place, and what that says about your TSA compliance.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment moderation is enabled. Your comment may take some time to appear.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

NOTE: Your comment may not appear instantly (it may take several hours) due to static caching or random moderation checks by the anti-spam system.
Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
Gift: None
NOW £25.00
Gift: None
Virgin Media UK ISP Logo
Virgin Media £26.00
Gift: None
Vodafone UK ISP Logo
Vodafone £26.50 - 27.00
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
Gift: None
BeFibre UK ISP Logo
BeFibre £19.00
Gift: None
Community Fibre UK ISP Logo
Gift: None
YouFibre UK ISP Logo
YouFibre £22.99
Gift: None
Hey! Broadband UK ISP Logo
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5712)
  2. BT (3565)
  3. Politics (2598)
  4. Openreach (2341)
  5. Business (2322)
  6. Building Digital UK (2275)
  7. FTTC (2060)
  8. Mobile Broadband (2038)
  9. Statistics (1829)
  10. 4G (1723)
  11. Virgin Media (1673)
  12. Ofcom Regulation (1491)
  13. Fibre Optic (1424)
  14. Wireless Internet (1417)
  15. FTTH (1383)

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact