RADIUS Vulnerabilities

Impact

Background

The Problem

CAN 2001-1376
The first vulnerability is in the message digest calculation. During this calculation, the received packet together with a shared secret is copied into a buffer, without allocating space for the shared secret. This could allow a remote attacker to create a denial of service by overflowing the buffer with shared secret data. In some implementations, it could also be possible for an attacker to execute arbitrary commands if the shared secret is known. However, gaining knowledge of the shared secret can be very difficult.

CAN 2001-1377
The second vulnerability is caused by failure to check the vendor-length of vendor-specific attributes. A vendor-length less than 2 could cause RADIUS to calculate the attribute length as a negative number, leading to a denial of service.

The following RADIUS implementations are affected by one or both of the above vulnerabilities:

• Ascend RADIUS versions 1.16 and prior
• Cistron RADIUS versions 1.6.5 and prior
• FreeRADIUS versions 0.3 and prior
• GnuRADIUS versions 0.95 and prior
• ICRADIUS versions 0.18.1 and prior
• Livingston RADIUS versions 2.1 and earlier
• RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior
• RADIUSClient versions 0.3.1 and prior
• XTRADIUS 1.1-pre1 and prior
• YARD RADIUS 1.0.19 and prior

Resolution

Where can I read more about this?