CVE-2024-3596 | Attackers Blasting RADIUS

Share This Post

CVE-2024-3596 | CVSS:9.0

A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol accept message in place of a failed authentication request. allowing an attacker to gain unfettered access to network resources without collecting or brute forcing network credentials.

  • Any Multi-Factor Authentication (MFA) can be bypassed
  • Unknown users can be given network access
  • Unknown users can be granted administrative login to key networking equipment
  • Known users can have their traffic redirected to a “honeypot”

Software and hardware vendors that have designed and developed infrastructure around RADIUS, will soon release updates to this vulnerability. This vulnerability was uncovered in a protocol that is over 30 years old.

(https://www.blastradius.fail/attack-details)

According to the research team (Blastradius.org), “This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials. An adversary exploiting our attack can escalate privileges from partial network access to being able to log into any device that uses RADIUS for authentication, or to assign itself arbitrary network privileges.”

Mitigations

Cisco: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3

Paloalto: https://security.paloaltonetworks.com/CVE-2024-3596

Microsoft KB5040268 (not a patch)- https://support.microsoft.com/en-us/topic/kb5040268-how-to-manage-the-access-request-packets-attack-vulnerability-associated-with-cve-2024-3596-a0e2f0b1-f200-4a7b-844f-48d1d5ab9e66

“The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will.” – Alan DeKok 

The research team has also stated they are not making the code available to the general public however they have made the improvements available via their github page.

Research team:

Sharon Goldberg – Cloudflare | Miro Haller – UC San Diego | Nadia Heninger – UC San Diego | Mike Milano – BastionZero | Dan Shumow – Microsoft Research | Marc Stevens – Centrum Wiskunde & Informatica | Adam Suhl – UCSanDiego

Resources:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-3596

https://www.blastradius.fail/attack-details and https://www.blastradius.fail

https://kb.cert.org/vuls/id/456537

https://nvd.nist.gov/vuln/detail/CVE-2024-3596

https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius

https://www.bleepingcomputer.com/news/security/new-blast-radius-attack-bypasses-widely-used-radius-authentication

https://www.inkbridgenetworks.com/blastradius

https://alandekok.com/webinar



Reach out to our incident response team for help

More To Explore

Information Security News – 2/3/2025

Phishing Campaign Baits Hook with Malicious Amazon PDFs Article Link: https://www.darkreading.com/cyberattacks-data-breaches/phishing-campaign-malicious-amazon-pdfs Cybersecurity Crisis in Numbers Article Link: https://www.helpnetsecurity.com/2025/01/29/data-breach-notices/ Google Forced to Step Up Phishing Defenses

Information Security News – 1/27/2025

Ransomware Attackers Are “Vishing” Organizations Via Microsoft Teams Article Link: https://www.helpnetsecurity.com/2025/01/21/ransomware-attackers-are-vishing-organizations-via-microsoft-teams-email-bombing/ FTC Orders GM to Stop Collecting and Selling Driver’s Data Article Link: https://www.bleepingcomputer.com/news/legal/ftc-orders-gm-to-stop-collecting-and-selling-drivers-data/ Brave

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.