SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#936683

Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of the vendor-specific attributes

Overview

Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the Vendor-Length of the Vendor-Specific attribute. It's possible to cause a denial of service against RADIUS servers with a malformed Vendor-Specific attribute.

I. Description

RADIUS servers and clients fail to validate the Vendor-Length inside Vendor-Specific attributes. The Vendor-Length shouldn't be less than 2. If Vendor-Length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. For example, YARDRadius contains this vulnerability in the handling of the User-Specific attributes only.

II. Impact

It is possible to cause a denial of service against the RADIUS server with a malformed Vendor-Specific attribute. Though unlikely, if a RADIUS client processes the Vendor-Specific attribute contained in a server response, then the client may also be vulnerable.

III. Solution

Apply a patch or upgrade to the version specified by your vendor.

Systems Affected
VendorStatusDate NotifiedDate Updated
AlcatelNot Vulnerable2-Apr-2002
AppleNot Vulnerable19-Feb-2002
Athena OnlineNot Vulnerable12-Mar-2002
CiscoNot Vulnerable4-Mar-2002
CistronVulnerable19-Feb-2002
ConectivaVulnerable7-Mar-2002
FreeBSDVulnerable19-Feb-2002
FreeRADIUSVulnerable27-Feb-2002
FujitsuNot Vulnerable20-Feb-2002
Funk SoftwareNot Vulnerable28-Mar-2002
GnuRADIUSVulnerable20-Feb-2002
Hewlett PackardNot Vulnerable20-Feb-2002
IBMNot Vulnerable20-Feb-2002
ICRADIUSVulnerable20-Feb-2002
Interlink NetworksNot Vulnerable18-Mar-2002
Juniper NetworksNot Vulnerable20-Feb-2002
LucentVulnerable5-Mar-2002
MicrosoftNot Vulnerable20-Feb-2002
NbaseVulnerable12-Apr-2002
NETBSDVulnerable20-Feb-2002
Open System ConsultantsVulnerable12-Mar-2002
Process SoftwareNot Vulnerable20-Feb-2002
RADIUSNot Vulnerable4-Mar-2002
RADIUSClientNot Vulnerable20-Feb-2002
Red HatVulnerable20-Feb-2002
SCONot Vulnerable19-Feb-2002
Secure Computing CorporationVulnerable16-Apr-2002
SGINot Vulnerable20-Feb-2002
VircomNot Vulnerable2-Apr-2002
Wind River SystemsNot Vulnerable4-Mar-2002
XTRADIUSVulnerable20-Feb-2002
YARD RADIUSVulnerable20-Feb-2002

References


http://www.freeradius.org
http://online.securityfocus.com/bid/4230

Credit

Our thanks to 3APA3A <3APA3A@SECURITY.NNOV.RU> for the report and analysis of this vulnerability.

This document was written by Jason Rafail and is based on information provided by 3APA3A.

Other Information

Date Public:2001-11-29
Date First Published:2002-03-04
Date Last Updated:2002-04-16
CERT Advisory:CA-2002-06
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:1.77
Document Revision:18

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader