Vulnerability Note VU#936683
Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of the vendor-specific attributes
Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the Vendor-Length of the Vendor-Specific attribute. It's possible to cause a denial of service against RADIUS servers with a malformed Vendor-Specific attribute.
RADIUS servers and clients fail to validate the Vendor-Length inside Vendor-Specific attributes. The Vendor-Length shouldn't be less than 2. If Vendor-Length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. For example, YARDRadius contains this vulnerability in the handling of the User-Specific attributes only.
It is possible to cause a denial of service against the RADIUS server with a malformed Vendor-Specific attribute. Though unlikely, if a RADIUS client processes the Vendor-Specific attribute contained in a server response, then the client may also be vulnerable.
Apply a patch or upgrade to the version specified by your vendor.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cistron||Affected||30 Jan 2002||19 Feb 2002|
|Conectiva||Affected||-||07 Mar 2002|
|FreeBSD||Affected||03 Jan 2002||19 Feb 2002|
|FreeRADIUS||Affected||26 Feb 2002||27 Feb 2002|
|GnuRADIUS||Affected||-||20 Feb 2002|
|ICRADIUS||Affected||30 Jan 2002||20 Feb 2002|
|Lucent||Affected||30 Jan 2002||05 Mar 2002|
|Nbase||Affected||05 Mar 2002||12 Apr 2002|
|NETBSD||Affected||03 Jan 2002||20 Feb 2002|
|Open System Consultants||Affected||-||12 Mar 2002|
|Red Hat||Affected||03 Jan 2002||20 Feb 2002|
|Secure Computing Corporation||Affected||-||16 Apr 2002|
|XTRADIUS||Affected||30 Jan 2002||20 Feb 2002|
|YARD RADIUS||Affected||30 Jan 2002||20 Feb 2002|
|Alcatel||Not Affected||-||02 Apr 2002|
CVSS Metrics (Learn More)
Our thanks to 3APA3A <3APA3A@SECURITY.NNOV.RU> for the report and analysis of this vulnerability.
This document was written by Jason Rafail and is based on information provided by 3APA3A.
- CVE IDs: Unknown
- CERT Advisory: CA-2002-06
- Date Public: 29 Nov 2001
- Date First Published: 04 Mar 2002
- Date Last Updated: 16 Apr 2002
- Severity Metric: 1.77
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.