Vulnerability Note VU#936683
Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of the vendor-specific attributes
Overview
Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the Vendor-Length of the Vendor-Specific attribute. It's possible to cause a denial of service against RADIUS servers with a malformed Vendor-Specific attribute.
Description
RADIUS servers and clients fail to validate the Vendor-Length inside Vendor-Specific attributes. The Vendor-Length shouldn't be less than 2. If Vendor-Length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. For example, YARDRadius contains this vulnerability in the handling of the User-Specific attributes only. |
Impact
It is possible to cause a denial of service against the RADIUS server with a malformed Vendor-Specific attribute. Though unlikely, if a RADIUS client processes the Vendor-Specific attribute contained in a server response, then the client may also be vulnerable. |
Solution
Apply a patch or upgrade to the version specified by your vendor. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Cistron | Affected | 30 Jan 2002 | 19 Feb 2002 |
| Conectiva | Affected | - | 07 Mar 2002 |
| FreeBSD | Affected | 03 Jan 2002 | 19 Feb 2002 |
| FreeRADIUS | Affected | 26 Feb 2002 | 27 Feb 2002 |
| GnuRADIUS | Affected | - | 20 Feb 2002 |
| ICRADIUS | Affected | 30 Jan 2002 | 20 Feb 2002 |
| Lucent | Affected | 30 Jan 2002 | 05 Mar 2002 |
| Nbase | Affected | 05 Mar 2002 | 12 Apr 2002 |
| NETBSD | Affected | 03 Jan 2002 | 20 Feb 2002 |
| Open System Consultants | Affected | - | 12 Mar 2002 |
| Red Hat | Affected | 03 Jan 2002 | 20 Feb 2002 |
| Secure Computing Corporation | Affected | - | 16 Apr 2002 |
| XTRADIUS | Affected | 30 Jan 2002 | 20 Feb 2002 |
| YARD RADIUS | Affected | 30 Jan 2002 | 20 Feb 2002 |
| Alcatel | Not Affected | - | 02 Apr 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
Credit
Our thanks to 3APA3A <3APA3A@SECURITY.NNOV.RU> for the report and analysis of this vulnerability.
This document was written by Jason Rafail and is based on information provided by 3APA3A.
Other Information
- CVE IDs: Unknown
- CERT Advisory: CA-2002-06
- Date Public: 29 Nov 2001
- Date First Published: 04 Mar 2002
- Date Last Updated: 16 Apr 2002
- Severity Metric: 1.77
- Document Revision: 18
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.