home.social

#blastradius — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #blastradius, aggregated by home.social.

  1. Upcoming USENIX Security 2024:

    ✅Tldr:
    802.1X - Radius based device authentication for LAN & 🛜via UDP [aka Radius NAC] is proven unfixable broken and finally dead.

    DO NOT USE!

    ✅Tech Details:
    blastradius.fail/pdf/radius.pd

    ✅Executive Summary:
    blastradius.fail

    #blastradius #radius #8021X #NAC #usenix

  2. Das Sommerloch hält immer wieder Überraschungen bereit. Dieses Mal ist RADIUS kaputt. Wir greifen das Thema auf und sprechen über #BlastRADIUS. Viel Spaß dabei! #Wartungsfenster wartungsfenster.podigee.io/64-

  3. New #BlastRADIUS attack bypasses widely-used #RADIUS #authentication
    Many networked devices on enterprise and telecommunication networks use the authentication and authorization RADIUS (Remote Authentication Dial-In User Service), sometimes tens of thousands of devices on a single network.
    Among its wide range of applications, the protocol is used for authentication in DSL and FTTH, 802.1X and Wi-Fi, 2G and 3G cellular roaming, 5G, APN and VPN, and critical infrastructure
    bleepingcomputer.com/news/secu

  4. Ancient, widely used protocol has CVSS 9.0 vulnerability: #BlastRADIUS.

    #RADIUS, the protocol nobody thinks much about, has a critical bug. This 1990s auth­en­ti­ca­tion/auth­or­i­z­ation standard has the potential to cause widespread pain and anguish, thanks to how it’s deeply embedded into countless bits of networking gear.

    IT/DevOps staff can look forward to some canceled vacay. In #SBBlogwatch, we wonder what else is lurking to bite us. At @TechstrongGroup’s @SecurityBlvd: securityboulevard.com/2024/07/

  5. Im verbreiteten Authentifizierungsprotokoll RADIUS wurde eine Schwachstelle gefunden, die eine weitgehende Kompromittierung der damit gesicherten Netzwerke ermöglicht. Eine Ausnutzung ist jedoch aufwändig, komplex und nur unter bestimmten Bedingungen möglich.

    #BlastRADIUS

    dfn-cert.de/informationen/arti

    Genauere Details zur Schwachstelle in Text- und Videoform auch beim @DFN

    dfn.de/blastradius-newsmeldung

  6. 🔐 #BLASTRADIUS – Forschende der Boston University & UC San Diego haben eine #Schwachstelle im #RADIUS Protokoll entdeckt. Was dahintersteckt, wie der Angriff technisch funktioniert & was dagegen hilft, verrät das 📹 Video von unserem Kollegen @janfred

    👉 dfn.de/blastradius-newsmeldung

    @ucsandiego

  7. Das #RADIUS-Protokoll ist per Design unsicher. Damit sind zahlreiche Netzwerke - bis hin zu großen Infrastrukturen durch #BlastRADIUS-Angriffe gefährdet. winfuture.de/news,143850.html?

  8. Yesterday, a new vulnerability was disclosed on some mailing lists dubbed #BlastRADIUS. It requires to be a man in the middle between the #RADIUS client and server.

    My initial thought is, that this wouldn't affect too many networks, since the adversary would already need to be within the network. But then I read that FTTH & DSL would be affected too. The home routers which are authenticating to the ISP?!! Wouldn't every service provider be at risk, if they don't use RADIUS over TLS or TCP?

    The attack description and paper link here:
    blastradius.fail/

    #infosec #networking

  9. Huh, the Openwall oss-security mailing list sure is quiet about BlastRADIUS.

    #CVE_2024_3596
    #BlastRADIUS

  10. In a somewhat unusual move, the company who sells one of the primary vulnerable products is charging money for tools to detect the vulnerability, with tool+support pricing ranging from US$150 for a guide+worksheet, US$400 for the verification tool, and $23K for carrier-level support.

    inkbridgenetworks.com/blastrad

    To be fair, it's a two-person company, and its technical lead was instrumental in analysis and fix of the vulnerability.

    #CVE_2024_3596
    #BlastRADIUS

  11. Definitely recommend using one-string name "BlastRADIUS" over "Blast-RADIUS".

    Lots of use of the regular phrase all over the Internet makes it harder to sift through (most search engines treat hyphens as if they were spaces).

    FWIW Mark Stevens, one of the authors, uses #BlastRADIUS

    x.com/realhashbreaker/status/1

    #CVE_2024_3596
    #BlastRADIUS

  12. Separate reply to my BlastRADIUS summary post above
    (infosec.exchange/@tychotithonu)

    for references (please boost that summary, not this post, so that you are not bothered by frequent updates to this post)

    Tech refs:

    Full paper, required reading:
    blastradius.fail/pdf/radius.pd

    Pending USENIX Security talk (title under embargo):
    usenix.org/conference/usenixse

    Vendor Guide from InkBridge, FreeRADIUS maintainers:
    inkbridgenetworks.com/web/cont

    Matthew Green analysis:
    ioc.exchange/@matthew_d_green/

    Confirrmed related speedups in hashclash, the MD5 collision framework by Stevens:
    github.com/cr-marcstevens/hash
    (Confirmed by: infosec.exchange/@goldbe/11275)

    Vuln refs: (CVE created 2024-04-10)

    cve.mitre.org/cgi-bin/cvename.

    vulmon.com/vulnerabilitydetail

    nvd.nist.gov/vuln/detail/CVE-2

    cvedetails.com/cve/CVE-2024-35

    vuldb.com/?id.270684

    cyber.gc.ca/en/alerts-advisori

    kb.cert.org/vuls/id/456537 (includes vendor list!)

    tenable.com/cve/CVE-2024-3596

    Updated software:
    (expect anything speaking RADIUS to patch - see kb.cert.org/vuls/id/456537)

    Amazon:
    explore.alas.aws.amazon.com/CV

    Arista (TBA, will be here):
    arista.com/en/support/advisori

    Broadcom (MFDSA24562, paywalled):
    support.broadcom.com/web/ecx/s
    community.broadcom.com/events/

    Cisco:
    sec.cloudapps.cisco.com/securi

    D-Link (TBA, will be here):
    support.dlink.com/index.aspx

    Debian (thread only):
    mail-archive.com/debian-bugs-d

    FreeRADIUS (affected):
    networkradius.com/packages/

    Juniper (affected):
    TBA. RADIUS/TLS supported to mitigate.

    Microsoft (Affected, Windows Server RADIUS, and clients):
    msrc.microsoft.com/update-guid
    support.microsoft.com/en-us/to

    Nokia (affected):
    TBA

    Okta (affected):
    TBA

    OpenVPN:
    Access Server Affected, TBA

    Palo Alto (affected):
    security.paloaltonetworks.com/

    Radiator (affected):
    radiatorsoftware.com/blastradi
    blog.radiatorsoftware.com/2024

    RedHat (FreeRADIUS):
    bugzilla.redhat.com/show_bug.c

    Siemens (affected):
    cert-portal.siemens.com/produc
    siemens.com/global/en/products

    Sonicwall (affected):
    psirt.global.sonicwall.com/vul

    SUSE (affected):
    suse.com/security/cve/CVE-2024
    suse.com/support/update/announ

    Ubiquiti (affected):
    community.ui.com/questions/Bla

    Project's own advisory list here:
    blastradius.fail/coverage.html

    Threads

    mailman.nanog.org/pipermail/na

    openwall.com/lists/oss-securit

    news.ycombinator.com/item?id=4

    News

    alandekok.com/blastradius-neut (InkBridge press release, includes signup for Q&A webinar)

    arstechnica.com/security/2024/ (Goodin)

    cwi.nl/en/news/vulnerability-d (this is where Marc Stevens, one of the collision researchers, works)

    helpnetsecurity.com/2024/07/09

    thehackernews.com/2024/07/radi

    businesswire.com/news/home/202

    securityweek.com/blastradius-a

    bleepingcomputer.com/news/secu

    csoonline.com/article/2515232/

    theregister.com/2024/07/10/rad

    oodaloop.com/briefs/2024/07/10

    securityboulevard.com/2024/07/

    Project's own article list here:
    blastradius.fail/coverage.html

    Authors

    Adam Suhl:
    cseweb.ucsd.edu/~asuhl/

    Mark Stevens:
    marc-stevens.nl/research/

    Sharon Goldberg:
    linkedin.com/in/sharon-goldber

    Mastodon links:

    infosec.exchange/@goldbe/11275 (co-author)

    #CVE_2024_3596 #BlastRADIUS

  13. Cloudflare and collaborators discover fundamental RADIUS/UDP vulnerability CVE-2024-3596 due to use of MD5 ("Blast-RADIUS" MitM attack). (Includes new Stevens / Heninger et al faster MD5 chosen-prefix collision attack!). AKA "Blast-RADIUS".

    blog.cloudflare.com/radius-udp

    blastradius.fail/
    blastradius.fail/pdf/radius.pd
    blastradius.fail/attack-detail

    Impact: "a local attacker [...] can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response" (from CVE). It's basically an "auth as anyone" bug.

    Short-term fix: patch RADIUS/UDP. Major RADIUS vendors said to have coordinated fixes in advance of announcement. Spec also rewritten to address, see inkbridgenetworks.com/blastrad (from DeKok, author of the revised RADIUS/UDP spec and FreeRADIUS maintainer, essential reading). “ISPs will have to upgrade their RADIUS servers and networking equipment." - DeKok

    Long-term fix: move to RADIUS/TLS, or isolate/tunnel RADIUS traffic

    Non-mitigations: MFA, TACACS+, others (see paper)

    Affected: PAP, CHAP, MS-CHAPv2, other non-EAP protocols

    Not affected: RADIUS/TLS, 802.1X, IPSec, Eduroam, OpenRoaming

    CVE: cve.mitre.org/cgi-bin/cvename.

    Urgency: Seems to take non-trivial amount of compute and prep, plus privileged network vantage point, so "patch normally", not "drop everything", IMO so far. But I also expect RADIUS regularly traverses untrusted networks, so I wouldn't procrastinate, either. Less vulnerable if using EAP, but even that is not a good mitigation, because MitM access can be used to alter the packets.

    Patching logistics: both clients and servers seem to need patching. Major vendors had warning and have been working on fixes under embargo. Links for some in reply below as I learn them.

    Exploit: none known, PoC only.

    With the collision speedup, this also means anything else still vulnerable due to MD5 just got weaker.

    Authors scheduled to present paper at USENIX Security Aug 14-16 (title still under embargo):
    usenix.org/conference/usenixse

    Tech and news refs (separate reply to minimize post churn):

    infosec.exchange/@tychotithonu

    #CVE_2024_3596 #BlastRADIUS