Vulnerability Note VU#277396
GNU Radius accounting service fails to properly handle exceptional Acct-Status-Type and Acct-Session-Id attributes
The GNU Radius accounting service fails to properly handle packets with exceptional Acct-Status-Type and Acct-Session-Id attributes.
GNU Radius is a software package used for remote user authentication and accounting. There is a vulnerability in the way the rad_print_request() function processes a UDP packet containing Acct-Status-Type and Acct-Session-Id attributes that do not specify values.
An attacker who is able to send a UDP packet to the service could cause the Radius daemon (radiusd) to crash. No authentication is required to exploit this vulnerability. The Radius accounting service typically listens on 1813/udp or 1646/udp.
Upgrade to GNU Radius version 1.2.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|GNU Radius||Affected||05 Feb 2004||05 Feb 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by iDEFENSE Labs.
This document was written by Damon Morda and Art Manion.
- CVE IDs: Unknown
- Date Public: 04 Feb 2004
- Date First Published: 05 Feb 2004
- Date Last Updated: 05 Feb 2004
- Severity Metric: 7.94
- Document Revision: 15
If you have feedback, comments, or additional information about this vulnerability, please send us email.