RADIUS/UDP Considered Harmful

Authors: 

Sharon Goldberg, Cloudflare; Miro Haller and Nadia Heninger, UC San Diego; Mike Milano, BastionZero; Dan Shumow, Microsoft Research; Marc Stevens, Centrum Wiskunde & Informatica; Adam Suhl, UC San Diego

Abstract: 

The RADIUS protocol is the de facto standard lightweight protocol for authentication, authorization, and accounting (AAA) for networked devices. It is used to support remote access for diverse use cases including network routers, industrial control systems, VPNs, enterprise Wi-Fi including the Eduroam network, Linux Pluggable Authentication Modules, and mobile roaming and Wi-Fi offload.

We have discovered a protocol vulnerability in RADIUS that has been present for decades. Our attack allows a man-in-the-middle attacker to authenticate itself to a device using RADIUS for user authentication, or to assign itself arbitrary network privileges. Our attack exploits an MD5 chosen-prefix collision on the ad hoc RADIUS packet authentication construction to produce Access-Accept and Access-Reject packets with identical Response Authenticators, allowing our attacker to transform a reject into an accept without knowledge of the shared secret between RADIUS client and server.

We optimize the MD5 chosen-prefix attack to produce collisions online in less than five minutes, and show how to fit the collision blocks within RADIUS attributes that will be echoed back from the server. We demonstrate our attack in a variety of settings against popular RADIUS implementations. It is our hope that this attack will provide the impetus for vendors and the IETF to deprecate RADIUS over UDP, and to require RADIUS to run over secure channels with modern cryptographic privacy and integrity guarantees.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299840,
author = {Sharon Goldberg and Miro Haller and Nadia Heninger and Mike Milano and Dan Shumow and Marc Stevens and Adam Suhl},
title = {{RADIUS/UDP} Considered Harmful},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {7429--7446},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/goldberg},
publisher = {USENIX Association},
month = aug
}