Microsoft released an update for the Windows Server Network Policy Server (NPS) to address recently disclosed vulnerabilities in the Remote Access Dial-In User Service (RADIUS) protocol in the July 2024 security updates. RADIUS is an industry-standard authentication protocol widely used for remote access, including Always On VPN. The RADIUS protocol was first introduced in the early 1990s and, unfortunately, still relies on the deprecated MD5 cryptographic hash function. The good news is that this vulnerability does not affect Always On VPN. Read on to learn more.
Blast-RADIUS
Blast-RADIUS is an attack on the RADIUS protocol that allows an attacker to alter network authentication packets to gain access to a service relying on RADIUS for authentication by exploiting the weakness of MD5 integrity checks in RADIUS. In the absence other controls, an attacker could alter an authentication response and change the reply from Access-Reject to Access-Accept.
Considerations
It’s important to note that leveraging this attack is not trivial. It requires local network access, so the attacker must have a presence on the target network to carry out this attack. However, cloud-hosted RADIUS services are inherently more vulnerable. In addition, the attack is mostly academic today because the default timeout for authentication requests is typically short, usually between 5 and 30 seconds. This is not enough time (today) for an attacker to mount the attack. However, this attack could become more feasible if authentication timeouts are increased (sometimes required to support MFA) or if an attacker has access to vast computing resources.
Affected Protocols
Although Blast-RADIUS is a vulnerability in the RADIUS protocol itself, not all authentication protocols are affected. Specifically, this vulnerability affects services leveraging PAP, CHAP, MS-CHAP, and MS-CHAPv2. Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP) are not vulnerable to this attack. Since Always On VPN requires EAP authentication, it is not susceptible to this attack.
Mitigation
Microsoft has published guidance in KB5040268 for mitigating Blast-RADIUS attacks on Windows NPS servers. Specifically, administrators are encouraged to enable the Message-Authenticator attribute in Access-Request packets sent by the network access server and to ensure the NPS server requires the Message-Authenticator attribute in any Access-Request messages it receives.
Note: The following changes are not required for Always On VPN or any other workload using EAP-TLS or Protected EAP, as these protocols use TLS natively to protect the authentication exchange.
NPS
To configure this setting in the UI, open the NPS management console (nps.msc) and perform the following steps.
- Expand RADIUS Clients and Servers.
- Highlight RADIUS Clients.
- Right-click the RADIUS client to configure and choose Properties.
- Select the Advanced tab.
- Check the box next to Access-Request messages must contain the Message-Authenticator attribute.
PowerShell
To configure this setting using PowerShell, open an elevated PowerShell command window and run the following command.
Set-NpsRadiusClient -Name <RADIUS client name> -AuthAttributeRequired $True
Additional NPS Settings
Administrators should also run the following commands on their NPS servers to further protect their infrastructure from Blast-RADIUS attacks.
netsh.exe nps set limitproxystate all = enable
netsh.exe nps set requiremsgauth all = enable
RRAS
When using Windows Server Routing and Remote Access (RRAS) without EAP, ensure the RADIUS server configuration always includes the Message-Authenticator. To configure this setting, open the Routing and Remote Access console (rrasmgmt.msc) on the RRAS server and perform the following steps.
- Right-click the VPN server and choose Properties.
- Select the Security tab.
- Click the Configure button next to the Authentication provider drop-down list.
- Highlight the RADIUS server and choose Edit.
- Check the box next to Always use message authenticator.
Repeat these steps for any additional configured RADIUS servers.
CLI
Administrators can implement this change at the command line by opening an elevated command window and entering the following command.
netsh.exe ras aaaa set authserver name = <name of RADIUS server> signature = enabled
For example:
netsh.exe ras aaaa set authserver name = nps.lab.richardhicks.net signature = enabled
New NPS Events
After installing the KB5040268 update on NPS servers, the NPS server will record event ID 4421 from the NPS source after a service start if the RequireMsgAuth or LimitProxyState settings are not configured.
“RequireMsgAuth and/or limitProxyState configuration is in Disable mode. These settings should be configured in Enable mode for security purposes.”
Optional Mitigation
If administrators cannot configure the above settings, consider using IPsec to secure network traffic at the transport layer. IPsec will protect all RADIUS traffic at the network layer to mitigate Blast-RADIUS attacks. Unfortunately, Windows Server NPS does not support TLS or DTLS, so IPsec is your only option.
Summary
Always On VPN is not vulnerable to the Blast-RADIUS attack. However, NPS is commonly a shared service in many organizations, and other workloads may use older, vulnerable protocols. Consider implementing the changes detailed in KB5040268 as outlined in above to ensure the integrity of your environment and mitigate these potential attacks.
More Information
RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks
New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere
Overview of Microsoft Protected Extensible Authentication Protocol (PEAP)
Erin Mc
/ July 15, 2024A warning to others out there with NPS who also have radius set up for their Cisco switches. This morning, I ran all the updates on the server and turned on the “Message Authenticator” check box. The newer Cisco switches were fine, but the older ones would time out. Even after unchecking the box and trying again, they still timed out. I had to point them to another NPS server that I hadn’t patched yet. Now to figure out what to do.
Richard M. Hicks
/ July 15, 2024Good to know. Indeed, the Message-Authenticator may not be compatible with some legacy systems. Always wise to test thoroughly before production deployment. 🙂