Vulnerability Note VU#541574

freeRADIUS Server vulnerable to a denial-of-service attack

Original Release date: 06 Oct 2004 | Last revised: 01 Feb 2005

Overview

Multiple vulnerabilities in freeRADIUS Server may allow attackers to cause a denial-of-service condition.

Description

The Remote Authentication Dial In User Service (RADIUS) protocol is used for remote user authentication and accounting. freeRADIUS Server is an popular open-source RADIUS server.

According to freeRADIUS, three independent bugs in freeRADIUS Server versions 0.8.0 to 1.0.0 inclusive, may cause a denial-of-service condition.

According to Alan T. DeKok from the freeRADIUS project these vulnerabilities are the result of:

  • The function which decodes RADIUS attributes into data structures did not properly check for malformed USR vendor-specific attributes. As a result, when the server received any packet containing a malformed USR VSA, it could be convinced to call "memcpy" with a length value of "-1", which memcpy would interpret as 0xffffffff. The resulting infinite copy would cause the server to core dump.
  • The function which decodes RADIUS attributes into data structures did not properly check for certain pre-conditions before decoding Ascend-Send-Secret and Ascend-Recv-Secret attributes. As result, when the server received an Access-Request or Accounting-Request packet containing an Ascend-Send-Secret or Ascend-Recv-Secret attribute, it could be convinced to call a function to decode the contents of the attribute, with a NULL pointer, where that function expected a pointer to a valid data structure. That function would de-reference the NULL pointer, and cause the server to core dump.
  • The function which decodes RADIUS attributes into data structures did not properly clean up after itself if the Ascend-Send-Secret, Ascend-Recv-Secret, or Tunnel-Password attributes were received in an Access-Request packet. As a result, a previously allocated data structure was not freed, and the server would leak a data structure of approximately 300 bytes for every Access-Request packet it received which contained those RADIUS attributes. If sufficient packets matching that criteria were received, the server process would run out of memory, and would be killed by the OS.

Impact

A remote attacker may be able to crash the freeRADIUS Server causing a denial-of-service condition.

Solution

Upgrade freeRADIUS

These vulnerabilities were corrected in freeRADIUS Server version 1.0.1.

Limit Access to freeRADIUS


To reduce the impact of exploitation, access to freeRADIUS services should restricted to only trusted hosts on necessary ports (1812 UDP for Authentication and 1813 UDP for Accounting).

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
DebianAffected05 Oct 200418 Oct 2004
FreeRADIUSAffected28 Sep 200429 Sep 2004
Apple Computer Inc.Not Affected05 Oct 200401 Feb 2005
Chiaro NetworksNot Affected05 Oct 200407 Oct 2004
Foundry Networks Inc.Not Affected05 Oct 200406 Oct 2004
HitachiNot Affected05 Oct 200408 Oct 2004
IntotoNot Affected05 Oct 200414 Oct 2004
StonesoftNot Affected05 Oct 200407 Oct 2004
3ComUnknown05 Oct 200405 Oct 2004
AlcatelUnknown05 Oct 200405 Oct 2004
AT&TUnknown05 Oct 200405 Oct 2004
AvayaUnknown05 Oct 200405 Oct 2004
Avici Systems Inc.Unknown05 Oct 200405 Oct 2004
BorderwareUnknown05 Oct 200405 Oct 2004
BSDIUnknown05 Oct 200411 Oct 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was publicly repoted by Secunia Security Advisories.

We thank Alan T. DeKok of freeRADIUS for providing information regarding this vulnerability.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CAN-2004-0938
  • Date Public: 20 Sep 2004
  • Date First Published: 06 Oct 2004
  • Date Last Updated: 01 Feb 2005
  • Severity Metric: 2.83
  • Document Revision: 129

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.