Vulnerability demonstrated in RADIUS/UDP network protocol

The team did a successful attack in practice in January but had not yet made it public. Since then, they have been working with vendors on more secure solutions. They named the vulnerability ‘Blast-RADIUS’. The team will officially present their results at the international 33rd USENIX-Security Symposium, which takes place from 14-16 August in Philadelphia, USA.

Wi-Fi and VPN networks

RADIUS (Remote Authentication Dial-In User Service) was designed back in 1991 - in the era of dial-up Internet access - but it is still an important authentication protocol. It is used to access Wi-Fi and VPN networks, as well as routers, switches and other network equipment. RADIUS network traffic is typically transported unsecured via the so-called UDP network layer, protected only by cryptography based on the outdated MD5 standard. Despite the fact that MD5 has been shown to be unsafe since 2004, the RADIUS/UDP standard has hardly changed since then.

Very fast attack on MD5

There is a short login timeout of at most minutes, after which the login attempt will be aborted. Until now, so-called chosen-prefix attacks took about a day to break MD5 security. The researchers now present an improved, very fast attack on MD5 that just takes a few minutes and they show how it can force unauthorized access via RADIUS/UDP. This was partly possible thanks to improvements made by Stevens in his existing 'Hashclash' tool.

Migrate to RADIUS/TLS

Marc Stevens says: “The use of MD5 has been discouraged for a long time. Unfortunately, all too often, people wait until a concrete attack is demonstrated. Some dangerous examples from the past include a forged Certificate Authority (RogueCA, 2008, aka the “https crack”), a forged Windows Update (FLAME, 2012), a TLS attack (SLOTH, 2016), and bypassing Certificate Verification in Windows (2023). And now RADIUS, too.
The RADIUS/UDP standard has long failed to meet modern cryptographic standards. We therefore recommend the use of RADIUS/TLS, as TLS can provide strong privacy and security guarantees. RADIUS/TLS fits within zero-trust architectures — the strategic security model where no internal network is designated as trusted. Vendors and network administrators should change this.”

The research team

The researchers are, in alphabetical order: Sharon Goldberg (Cloudflare), Miro Haller (UC San Diego), Nadia Heninger (UC San Diego), Mike Milano (BastionZero, now Cloudflare), Dan Shumow (Microsoft Research), Marc Stevens (Centrum Wiskunde & Informatica) and Adam Suhl (UC San Diego).

About Marc Stevens

Marc Stevens, a cryptanalyst in the Cryptology research group at CWI is the global expert on hash functions. For example, he has previously contributed to exposing the weaknesses of the cryptographic hash function standards MD5 and SHA-1. He is known for breaking the https security in 2008 (MD5), analyzing the Flame supermalware in 2012, and breaking the industry standard SHA-1 in practice in 2017, which was used for digital signatures. In 2016, he won the $50,000 Google Security Privacy and Anti-abuse applied award in recognition of his work in cryptoanalysis, and in 2017, he and Google researchers won the Pwnie Award for Best Cryptographic Attack. In 2020, Stevens, together with Xiayun Wang, received the Levchin Prize for Real-World Cryptography for their 'groundbreaking work on the security of collision-resistant hash functions'. In addition, Stevens is involved in the Dutch PQC migration handbook of TNO, AIVD and CWI for post-quantum cryptography.

More information

• Blast-RADIUS website: https://www.blastradius.fail
• Publication USENIX Security
• This vulnerability has been assigned the following identifiers by US CERT/CC:
  - CVE 2024-3596
  - VU#456537
• Blog by the Blast-RADIUS team, with explanation
• Whitepaper Mitigatie BlastRADIUS by Alan DeKok (Network RADIUS SAS, FreeRADIUS)
• RADIUS on Wikipedia
• UDP network layer on Wikipedia
• CWI Cryptology Group
• Marc Stevens at CWI

Blast-RADIUS logo

Older vulnerabilities due to the use of MD5

• 2008 RogueCA: https://link.springer.com/chapter/10.1007/978-3-642-03356-8_4
  “Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate”, Marc Stevens, Alexander Sotirov, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger. IACR Flagship conference CRYPTO 2009 (Best Paper Award).
  
• 2012 FLAME:
  - CWI cryptanalyst discovers new cryptographic attack variant in Flame spy malware
  - https://arstechnica.com/information-technology/2012/06/flame-malware-was-signed-by-rogue-microsoft-certificate/
  - “Reverse-engineering of the cryptanalytic attack used in the Flame super-malware”, Max Fillinger, and Marc Stevens, IACR Flagship conference ASIACRYPT 2015.
  
• 2016 SLOTH TLS:
  “Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH”, Karthikeyan Bhargavan, Gaetan Leurent. Conference NDSS’16.
  
• Windows Certificate verification
  “"Spoofing certificates with MD5 collisions - party like it's 2008”, Tomer Peled, Yoni Rozenstein, DEF CON ’31. CVE-2022-34689.
  Blog: https://cendyne.dev/posts/2023-09-01-spoofing-certificates-with-md5-collisions.html

About MD5

MD5 is a so-called cryptographic hash function that was widely used to secure Internet communications. Hash functions are used to calculate short ‘fingerprints’ (consisting of 32 to 64 characters) of messages and files. For security purposes, it must be impossible to find two files with the same fingerprint (‘collisions’ in jargon). The first collisions for the MD5 standard were demonstrated in 2004 by Prof. Xiaoyun Wang and others, and since then this attack has been made much faster.

In 2007, a team of researchers - including Marc Stevens (CWI), Arjen Lenstra (EPFL) and Benne de Weger (TU/e) - managed to create an even stronger attack on MD5 with much more control over the content of the collisions. In 2008, an international team, again with CWI researcher Marc Stevens, even broke global https security for demonstration purposes due to a then-current vulnerability at a certificate organization. MD5 was then almost universally phased out in all kinds of Internet standards, except in the network standard RADIUS/UDP.

Header picture: artist's impression of a hacker. Source: Frank Peters/Shutterstock.com.