|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#541574
freeRADIUS Server vulnerable to a denial-of-service attack
OverviewMultiple vulnerabilities in freeRADIUS Server may allow attackers to cause a denial-of-service condition.
I. DescriptionThe Remote Authentication Dial In User Service (RADIUS) protocol is used for remote user authentication and accounting. freeRADIUS Server is an popular open-source RADIUS server.
According to freeRADIUS, three independent bugs in freeRADIUS Server versions 0.8.0 to 1.0.0 inclusive, may cause a denial-of-service condition.
According to Alan T. DeKok from the freeRADIUS project these vulnerabilities are the result of:
- The function which decodes RADIUS attributes into data structures did not properly check for malformed USR vendor-specific attributes. As a result, when the server received any packet containing a malformed USR VSA, it could be convinced to call "memcpy" with a length value of "-1", which memcpy would interpret as 0xffffffff. The resulting infinite copy would cause the server to core dump.
- The function which decodes RADIUS attributes into data structures did not properly check for certain pre-conditions before decoding Ascend-Send-Secret and Ascend-Recv-Secret attributes. As result, when the server received an Access-Request or Accounting-Request packet containing an Ascend-Send-Secret or Ascend-Recv-Secret attribute, it could be convinced to call a function to decode the contents of the attribute, with a NULL pointer, where that function expected a pointer to a valid data structure. That function would de-reference the NULL pointer, and cause the server to core dump.
- The function which decodes RADIUS attributes into data structures did not properly clean up after itself if the Ascend-Send-Secret, Ascend-Recv-Secret, or Tunnel-Password attributes were received in an Access-Request packet. As a result, a previously allocated data structure was not freed, and the server would leak a data structure of approximately 300 bytes for every Access-Request packet it received which contained those RADIUS attributes. If sufficient packets matching that criteria were received, the server process would run out of memory, and would be killed by the OS.
II. ImpactA remote attacker may be able to crash the freeRADIUS Server causing a denial-of-service condition.
III. SolutionUpgrade freeRADIUS
These vulnerabilities were corrected in freeRADIUS Server version 1.0.1.
Limit Access to freeRADIUS
To reduce the impact of exploitation, access to freeRADIUS services should restricted to only trusted hosts on necessary ports (1812 UDP for Authentication and 1813 UDP for Accounting).
Systems Affected
References
http://secunia.com/advisories/12570/
http://www.securitytracker.com/alerts/2004/Sep/1011364.html
http://www.freeradius.org/security.html
Credit
This vulnerability was publicly repoted by Secunia Security Advisories.
We thank Alan T. DeKok of freeRADIUS for providing information regarding this vulnerability.
This document was written by Jeff Gennari.
Other Information
| Date Public: | 2004-09-20 |
| Date First Published: | 2004-10-06 |
| Date Last Updated: | 2005-02-01 |
| CERT Advisory: | |
| CVE-ID(s): | CAN-2004-0938 |
| NVD-ID(s): | CAN-2004-0938 |
| US-CERT Technical Alerts: | |
| Metric: | 2.83 |
| Document Revision: | 129 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|