This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Advisor
Advisor
yesterday

Blast-RADIUS - CVE-2024-3596

https://www.blastradius.fail/

 

Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is a very common protocol used for authentication, authorization, and accounting (AAA) for networked devices on enterprise and telecommunication networks.

What can the attacker do?

The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials.

Who is affected?

Blast-RADIUS is a protocol vulnerability, and thus affects all RADIUS implementations using non-EAP authentication methods over UDP.

System administrators of networks using RADIUS should check with vendors for a patch against this vulnerability, and follow best practices for RADIUS configuration as discussed below. There is nothing that end users can do on their own to protect against this attack.

RADIUS is used in a wide variety of applications, including in enterprise networks to authenticate access to switches and other routing infrastructure, for VPN access, by ISPs for DSL and FTTH (Fiber to the Home), in 802.1X and Wi-Fi authentication, 2G and 3G cellular roaming and 5G DNN (Data Network Name) authentication, mobile Wi-Fi offload with SIM card-based authentication, private APN authentication, to authenticate access to critical infrastructure, and in the Eduroam and OpenRoaming wifi consortia.

What is the vulnerability?

The RADIUS protocol predates modern cryptographic guarantees and is typically unencrypted and unauthenticated. However, the protocol does attempt to authenticate server responses using an ad hoc construction based on the MD5 hash function and a fixed shared secret between a client and server.

Our attack combines a novel protocol vulnerability with an MD5 chosen-prefix collision attack and several new speed and space improvements. The attacker injects a malicious attribute into a request that causes a collision between the authentication information in the valid server response and the attacker’s desired forgery. This allows the attacker to turn a reject into an accept, and add arbitrary protocol attributes.

4 Replies
Lesley
Advisor
Advisor
yesterday

Was following it also. No SK from Check Point, still very fresh and released today I think. (Some headsup yesterday).

If I try to keep it simple the Radius server you can configure in SmartDashboard supports -> Radius V1 en V2. Protocol PAP or MS_Chap2

-----------------------------------------------------------------------------------------------------------------------

RADIUS (Remote Authentication Dial-In User Service) server is used for authentication of users. Check Point uses the RADIUS servers in these scenarios:

Administrators logging in to SmartConsole

SecuRemote Users (via IKE Hybrid Mode)

RADIUS Configuration Fields

  • Host is where the RADIUS server is deployed.

  • Service is the port to which the RADIUS server listens. Choose one of two predefined services.

    • RADIUS is port number historically used by most installations.

    • NEW-RADIUS is the officially registered port number.

  • Shared secret is the secret between the RADIUS server and the Security Gateway.

  • Version can be either RADIUS Version 1.0, which is RFC 2138 compliant, and RADIUS Version 2.0 which is RFC 2865 compliant. For more, see:

  • Protocol is the type of authentication protocol that will be used when authenticating the user to the RADIUS server. This type should be supported and enabled by the server. The MS-CHAP v2 protocol is supported by some servers, including Microsoft IAS and Cisco ACS. This protocol provides higher security and the ability to perform a password change, as an additional challenge in the authentication session, when the user is configured as "User must change password at next logon" on the server.

----------------------------------------------------------------------------------------------

Second is that you also can use Radius to authenticate to the Gaia OS(and API). But for now it is to late for me to check 😁

(https://support.checkpoint.com/results/sk/sk72940

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
vass
Explorer
4 hours ago
In response to Lesley

Thanks for the info.

I captured some traffic for Radius VPN Auth with user/Pwd and Checkpoint does not send the Message-Authenticator attribute (has expected bcs it was not mandatory in RFC).

But we do know now that we will need in the future to send it and also check if the reply from the server has it (and if its ok and not tempered).

Does checkpoint already have some info if this will be implemented? (dunno what its used has client in Checkpoint side but if free radius there are updated clients).

 

Regards,

Vlad

0 Kudos
the_rock
Legend
Legend
3 hours ago
In response to vass

I hope there will be an official sk about it soon, as one is not present in the support site as of yet, unless its internal...no idea.

Andy

0 Kudos
the_rock
Legend
Legend
yesterday

Thanks for that @Alex- 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events