Does the Blast-RADIUS vulnerability affect Portnox Cloud users?

What is the Blast-RADIUS vulnerability?

The Blast-RADIUS (BlastRADIUS) vulnerability (CVE-2024-3596) is a vulnerability in the RADIUS protocol (RFC 2865).

This vulnerability is considered very low risk for Portnox Cloud for the following reasons:

  • The research is purely theoretical and no attacks in the wild have been observed.
  • The attack would require an attacker to assume a man-in-the-middle position between the NAS device and the RADIUS server, so either within the customer’s infrastructure or within the ISP infrastructure.
  • The attack requires high computational power to calculate an MD5 collision before the RADIUS timeout.
  • The attack affects only direct UDP communications with the RADIUS server. The 802.1X protocol is not affected.

Which parts of Portnox Cloud could be affected?

Not affected:

  • Network authentication using credentials or certificates is not affected because it uses the 802.1X protocol.
  • Local RADIUS servers are not affected. All communications between the local RADIUS server’s virtual machine or container and the Portnox Cloud RADIUS servers are conducted through secure TLS tunnels.
  • TACACS+ services are not affected. All communications between the TACACS+ local virtual machine or container and the Portnox Cloud RADIUS servers are conducted through secure TLS tunnels.
  • Conditional Access for Applications is not affected. All communication with the Portnox Cloud RADIUS servers is conducted internally within the Portnox secure infrastructure.
  • Any devices and software that use the Message-Authenticator RADIUS attribute in RADIUS communications are not affected.

Could be affected:

  • MAC-based authentication (MAB), if your NAS device does not use the Message-Authenticator RADIUS attribute. While most NAS devices support this attribute, you may need to upgrade those NAS devices to the latest firmware version. We recommend checking with your NAS manufacturer and immediately install any new firmware, if available.
  • VPN authentication, if your VPN server does not use the Message-Authenticator RADIUS attribute. We recommend that you check with your VPN server manufacturer and immediately install any new firmware or security patches.

What can I do to protect myself better?

While the risk of Blast-RADIUS is very low, you may do the following to protect yourself:

  • If using Portnox Cloud for 802.1X authentication only (credential-based or certificate-based network access): No action needed. You are not affected.
  • If using Portnox Cloud for TACACS+ only: No action needed. You are not affected.
  • If using Portnox Cloud for Conditional Access only: No action needed. You are not affected.
  • If using Portnox Cloud for MAC-based authentication:
    • Option 1: Configure your NAS devices and your Portnox Cloud RADIUS for RadSec communications. For more information, see the topic: Configure advanced RADIUS server options.
    • Option 2: If the latest firmware of your NAS device supports the Message-Authenticator RADIUS attribute, update the firmware of your NAS device to the latest version.
    • Option 3: Install a local RADIUS server within your local network as close as possible to the NAS devices, and configure your NAS devices to use this local RADIUS server as your primary RADIUS server. Then, all RADIUS communications between your infrastructure and the Portnox infrastructure will be conducted through a secure TLS tunnel. Note that with this solution, an attack is still possible, but only from the inside of your infrastructure (if the attacker is able to modify the traffic between your NAS devices and your local RADIUS server).
  • If using Portnox Cloud for VPN authentication:
    • Option 1: Configure your VPN server and your Portnox Cloud RADIUS for RadSec communications. For more information, see the topic: Configure advanced RADIUS server options.
    • Option 2: If the latest firmware or software version of your VPN server supports the Message-Authenticator RADIUS attribute, update the firmware or software of your VPN server to the latest version.
    • Option 3: Install a local RADIUS server within your local network as close as possible to the VPN server, and configure your VPN server to use this local RADIUS server as your primary RADIUS server. Then, all RADIUS communications between your infrastructure and the Portnox infrastructure will be conducted through a secure TLS tunnel. Note that with this solution, an attack is still possible, but only from the inside of your infrastructure (if the attacker is able to modify the traffic between your VPN server and your local RADIUS server).
Note: The blast-RADIUS issue lies within the RADIUS protocol itself, and only the proper configuration of NAS devices can guarantee security against this vulnerability. While our server could achieve complete immunity by requiring the Message-Authenticator attribute, this would unfortunately make it incompatible with many NAS devices that have not yet implemented this support. Therefore, for devices that already support this attribute, we recommend a firmware upgrade, and for those that are not yet compatible with the Message-Authenticator attribute, we recommend that you consider using RadSec.