Vulnerability Note VU#589523
Multiple implementations of the RADIUS protocol contain a digest calculation buffer overflow
Overview
Multiple implementations of the RADIUS protocol contain a buffer overflow in the function that calculates message digests.
Description
During the message digest calculation, a string containing the shared secret is concatenated with a packet received without checking the size of the target buffer. This makes it possible to overflow the buffer with shared secret data. This can lead to denial of service against the server. If the shared secret is known by the attacker, then it may be possible to use this information to execute arbitrary code with the privileges of the victim RADIUS server or client, usually root. It should be noted that gaining knowledge of the shared secret is not a trivial task. Certain implementations of RADIUS vulnerable to VU#589523 may allow the execution of code if multiple packets are processed in the same thread, and the last 1 or 2 bytes of the shared secret is with in a certain range. In this case, specific knowledge of the shared secret is not required. |
Impact
Without knowledge of the shared secret, an attacker can cause a denial of service against the server, or the client via the server response. With knowledge of the shared secret, an attacker may be able to execute arbitrary code. In certain implementations, specific knowledge of the shared secret is not required to execute arbitrary code if the last 1 or 2 bytes of the shared secret are with in a certain range. |
Solution
Apply a patch or upgrade to the version specified by your vendor. |
Implementing a firewall to filter packets from outside of your network perimeter from being sent to the RADIUS server may help reduce the risk of attack. Note that this is not sufficient to prevent the vulnerability from being exploited by users who are within your network perimeter. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Cistron | Affected | 30 Jan 2002 | 19 Feb 2002 |
| Conectiva | Affected | - | 07 Mar 2002 |
| FreeBSD | Affected | 03 Jan 2002 | 20 Feb 2002 |
| FreeRADIUS | Affected | 26 Feb 2002 | 27 Feb 2002 |
| GnuRADIUS | Affected | - | 20 Feb 2002 |
| ICRADIUS | Affected | 30 Jan 2002 | 20 Feb 2002 |
| Lucent | Affected | 30 Jan 2002 | 05 Mar 2002 |
| NETBSD | Affected | 03 Jan 2002 | 20 Feb 2002 |
| Novell | Affected | 05 Mar 2002 | 12 Apr 2002 |
| RADIUS | Affected | 18 Feb 2002 | 04 Mar 2002 |
| RADIUSClient | Affected | 30 Jan 2002 | 20 Feb 2002 |
| Red Hat | Affected | 03 Jan 2002 | 20 Feb 2002 |
| Secure Computing Corporation | Affected | - | 16 Apr 2002 |
| Vircom | Affected | - | 02 Apr 2002 |
| XTRADIUS | Affected | 30 Jan 2002 | 20 Feb 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
Credit
Our thanks to Joshua Hill <josh-radius@untruth.org> and 3APA3A <3APA3A@SECURITY.NNOV.RU> for their report and analysis of this vulnerability.
This document was written by Jason Rafail and is based on information provided by 3APA3A.
Other Information
- CVE IDs: Unknown
- CERT Advisory: CA-2002-06
- Date Public: 12 Nov 2001
- Date First Published: 04 Mar 2002
- Date Last Updated: 16 Apr 2002
- Severity Metric: 5.74
- Document Revision: 21
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.