CVE-2024-3596 | CVSS:9.0
A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol accept message in place of a failed authentication request. allowing an attacker to gain unfettered access to network resources without collecting or brute forcing network credentials.
- Any Multi-Factor Authentication (MFA) can be bypassed
- Unknown users can be given network access
- Unknown users can be granted administrative login to key networking equipment
- Known users can have their traffic redirected to a “honeypot”
Software and hardware vendors that have designed and developed infrastructure around RADIUS, will soon release updates to this vulnerability. This vulnerability was uncovered in a protocol that is over 30 years old.

According to the research team (Blastradius.org), “This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials. An adversary exploiting our attack can escalate privileges from partial network access to being able to log into any device that uses RADIUS for authentication, or to assign itself arbitrary network privileges.”
Mitigations
Paloalto: https://security.paloaltonetworks.com/CVE-2024-3596
Microsoft KB5040268 (not a patch)- https://support.microsoft.com/en-us/topic/kb5040268-how-to-manage-the-access-request-packets-attack-vulnerability-associated-with-cve-2024-3596-a0e2f0b1-f200-4a7b-844f-48d1d5ab9e66
“The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will.” – Alan DeKok
The research team has also stated they are not making the code available to the general public however they have made the improvements available via their github page.
Research team:
Sharon Goldberg – Cloudflare | Miro Haller – UC San Diego | Nadia Heninger – UC San Diego | Mike Milano – BastionZero | Dan Shumow – Microsoft Research | Marc Stevens – Centrum Wiskunde & Informatica | Adam Suhl – UCSanDiego
Resources:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-3596
https://www.blastradius.fail/attack-details and https://www.blastradius.fail
https://kb.cert.org/vuls/id/456537
https://nvd.nist.gov/vuln/detail/CVE-2024-3596
https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius
https://www.inkbridgenetworks.com/blastradius
