Overview
The Blast-RADIUS attack exposes a critical vulnerability in the widely-used RADIUS (Remote Authentication Dial-In User Service) protocol, which remains a cornerstone of network authentication systems. Although RADIUS was developed in the early 1990s to support dial-up internet access, it continues to play an essential role in authenticating users and administrators to networked devices. From switches and routers to VPN concentrators, nearly every piece of network infrastructure relies on RADIUS to verify credentials and grant or deny access. However, this longstanding trust in RADIUS is being shaken by the discovery of a sophisticated attack that exploits its Response Authenticator mechanism, allowing unauthorized access to critical systems.
At the core of the Blast-RADIUS attack is an exploitation of the MD5-based cryptographic function used by the RADIUS protocol to protect its communication integrity. Specifically, the attack targets the Response Authenticator, a field intended to validate responses from the RADIUS server. Using an advanced cryptographic technique known as a chosen-prefix collision, attackers can craft seemingly valid authentication responses without ever knowing the shared secret that is supposed to secure communications between the RADIUS client and server. By forging these responses, an adversary can gain access to network services even after submitting incorrect login credentials.
The attack operates by inserting malicious data into a client request via a Proxy-State attribute, which is echoed back by the RADIUS server. This allows the attacker, positioned as a man-in-the-middle, to manipulate the response packet in real time. The attacker can then replace an Access-Reject response (which would normally be sent after a failed login) with a forged Access-Accept response, granting unauthorized network access. The brilliance of the Blast-RADIUS attack lies in its efficiency, as the cryptographic work involved in generating the required MD5 collision can now be performed in minutes.
Targets
Information
How they operate
At the heart of RADIUS is a client-server architecture in which a Network Access Server (NAS) acts as a client, sending authentication requests to a centralized RADIUS server. The client and server share a fixed secret, which is used to compute hash values for protecting the integrity of communication. When a user submits credentials, the NAS packages them into an Access-Request message that includes a randomly generated value called the Request Authenticator. Upon receiving this request, the RADIUS server processes it, generating a response—either Access-Accept or Access-Reject—depending on whether the credentials are valid. The integrity of the response is secured by the Response Authenticator, which is computed using the MD5 hash of several components, including the shared secret, request attributes, and the random Request Authenticator.
The Blast-RADIUS attack exploits the weakness in this cryptographic structure by injecting a malicious attribute called Proxy-State into a valid request. The RADIUS protocol dictates that the Proxy-State attribute must be echoed back by the server in its response, which opens up an opportunity for attackers to manipulate the message. The key to the attack lies in creating a chosen-prefix MD5 collision, a technique that allows two different input messages to produce the same MD5 hash. By carefully crafting two sets of binary gibberish—one for the legitimate Access-Reject response and one for a forged Access-Accept—the attacker can ensure that both messages yield the same MD5 hash value. This means that even though the attacker replaces the Access-Reject with a fraudulent Access-Accept, the RADIUS client will still verify the Response Authenticator as valid.
The operation begins when the attacker, positioned as a man-in-the-middle, intercepts a failed login attempt from a user. Normally, when an incorrect password is provided, the server generates an Access-Reject response. However, the attacker anticipates this outcome and computes an MD5 collision between the legitimate Access-Reject response and a forged Access-Accept message that grants network access. The attacker’s crafted Proxy-State attribute, included in the original request, is structured so that the server’s response (including the Proxy-State) will contain the MD5 collision gibberish. The server, unaware of the attack, processes the request and sends the Access-Reject response, complete with the malicious Proxy-State and Response Authenticator.
Upon receiving the response, the attacker checks to ensure that the message format aligns with the predicted pattern, confirming that the MD5 collision has been successfully triggered. The attacker then replaces the Access-Reject message with the previously computed Access-Accept, while leaving the Response Authenticator unmodified. Because the MD5 hash collision ensures that the Response Authenticator is valid for both the legitimate and forged messages, the RADIUS client accepts the fraudulent Access-Accept response and grants access to the attacker.
What makes the Blast-RADIUS attack particularly dangerous is that it circumvents both password and shared secret verification without needing to brute-force or guess any credentials. The attack relies entirely on exploiting the MD5 collision vulnerability and manipulating RADIUS protocol behavior. By leveraging optimizations that reduce the time required to compute the MD5 collision, the attack can be executed in minutes, making it a viable threat in real-world scenarios.
References:
