|
|
|
Vulnerability Note VU#589523Multiple implementations of the RADIUS protocol contain a digest calculation buffer overflowOverviewMultiple implementations of the RADIUS protocol contain a buffer overflow in the function that calculates message digests.I. DescriptionDuring the message digest calculation, a string containing the shared secret is concatenated with a packet received without checking the size of the target buffer. This makes it possible to overflow the buffer with shared secret data. This can lead to denial of service against the server. If the shared secret is known by the attacker, then it may be possible to use this information to execute arbitrary code with the privileges of the victim RADIUS server or client, usually root. It should be noted that gaining knowledge of the shared secret is not a trivial task.Certain implementations of RADIUS vulnerable to VU#589523 may allow the execution of code if multiple packets are processed in the same thread, and the last 1 or 2 bytes of the shared secret is with in a certain range. In this case, specific knowledge of the shared secret is not required.
Implementing a firewall to filter packets from outside of your network perimeter from being sent to the RADIUS server may help reduce the risk of attack. Note that this is not sufficient to prevent the vulnerability from being exploited by users who are within your network perimeter.
References
Our thanks to Joshua Hill <josh-radius@untruth.org> and 3APA3A <3APA3A@SECURITY.NNOV.RU> for their report and analysis of this vulnerability. This document was written by Jason Rafail and is based on information provided by 3APA3A.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||