RADIUS Vulnerabilities
Created 3/11/02
CAN 2001-1376
CAN 2001-1377
Impact
A remote attacker could cause the RADIUS service to stop
responding, and possibly execute arbitrary commands if the
attacker has knowledge of the shared secret.
Background
RADIUS
(Remote Authentication Dial-In User Service) is a protocol which
offers remote user authentication and logging.
The Problem
There are two buffer overflow vulnerabilities affecting various
implementations of the RADIUS protocol.
CAN 2001-1376
The first vulnerability is in the
message digest calculation. During this calculation, the
received packet together with a shared secret is copied
into a buffer, without allocating space for the shared secret.
This could allow a remote attacker to create a denial of
service by overflowing the buffer with shared secret data.
In some implementations, it could also be possible for
an attacker to execute arbitrary commands if the shared
secret is known. However, gaining knowledge of the shared
secret can be very difficult.
CAN 2001-1377
The second vulnerability is caused
by failure to check the vendor-length of vendor-specific
attributes. A vendor-length less than 2 could cause RADIUS
to calculate the attribute length as a negative number,
leading to a denial of service.
The following RADIUS implementations are affected by one
or both of the above vulnerabilities:
- Ascend RADIUS versions 1.16 and prior
- Cistron RADIUS versions 1.6.5 and prior
- FreeRADIUS versions 0.3 and prior
- GnuRADIUS versions 0.95 and prior
- ICRADIUS versions 0.18.1 and prior
- Livingston RADIUS versions 2.1 and earlier
- RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior
- RADIUSClient versions 0.3.1 and prior
- XTRADIUS 1.1-pre1 and prior
- YARD RADIUS 1.0.19 and prior
Resolution
Apply a vendor patch or upgrade. See
CERT Advisory 2002-06
for information pertaining to specific vendors.
It would also be a good idea to block access to RADIUS servers
at the network perimeter or firewall.
Where can I read more about this?
For more information on this vulnerability, see
CERT Advisory 2002-06.
For technical details, see the original posting to
Bugtraq.