Vulnerability Note VU#589523

Multiple implementations of the RADIUS protocol contain a digest calculation buffer overflow

Original Release date: 04 Mar 2002 | Last revised: 16 Apr 2002

Overview

Multiple implementations of the RADIUS protocol contain a buffer overflow in the function that calculates message digests.

Description

During the message digest calculation, a string containing the shared secret is concatenated with a packet received without checking the size of the target buffer. This makes it possible to overflow the buffer with shared secret data. This can lead to denial of service against the server. If the shared secret is known by the attacker, then it may be possible to use this information to execute arbitrary code with the privileges of the victim RADIUS server or client, usually root. It should be noted that gaining knowledge of the shared secret is not a trivial task.

Certain implementations of RADIUS vulnerable to VU#589523 may allow the execution of code if multiple packets are processed in the same thread, and the last 1 or 2 bytes of the shared secret is with in a certain range. In this case, specific knowledge of the shared secret is not required.

Impact

Without knowledge of the shared secret, an attacker can cause a denial of service against the server, or the client via the server response. With knowledge of the shared secret, an attacker may be able to execute arbitrary code. In certain implementations, specific knowledge of the shared secret is not required to execute arbitrary code if the last 1 or 2 bytes of the shared secret are with in a certain range.

Solution

Apply a patch or upgrade to the version specified by your vendor.

Implementing a firewall to filter packets from outside of your network perimeter from being sent to the RADIUS server may help reduce the risk of attack. Note that this is not sufficient to prevent the vulnerability from being exploited by users who are within your network perimeter.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CistronAffected30 Jan 200219 Feb 2002
ConectivaAffected-07 Mar 2002
FreeBSDAffected03 Jan 200220 Feb 2002
FreeRADIUSAffected26 Feb 200227 Feb 2002
GnuRADIUSAffected-20 Feb 2002
ICRADIUSAffected30 Jan 200220 Feb 2002
LucentAffected30 Jan 200205 Mar 2002
NETBSDAffected03 Jan 200220 Feb 2002
NovellAffected05 Mar 200212 Apr 2002
RADIUSAffected18 Feb 200204 Mar 2002
RADIUSClientAffected30 Jan 200220 Feb 2002
Red HatAffected03 Jan 200220 Feb 2002
Secure Computing CorporationAffected-16 Apr 2002
VircomAffected-02 Apr 2002
XTRADIUSAffected30 Jan 200220 Feb 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Our thanks to Joshua Hill <josh-radius@untruth.org> and 3APA3A <3APA3A@SECURITY.NNOV.RU> for their report and analysis of this vulnerability.

This document was written by Jason Rafail and is based on information provided by 3APA3A.

Other Information

  • CVE IDs: Unknown
  • CERT Advisory: CA-2002-06
  • Date Public: 12 Nov 2001
  • Date First Published: 04 Mar 2002
  • Date Last Updated: 16 Apr 2002
  • Severity Metric: 5.74
  • Document Revision: 21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.