Lucent Information for VU#936683
Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of the vendor-specific attributes
- Vendor Information Help Date Notified: 30 Jan 2002
- Statement Date:
- Date Updated: 05 Mar 2002
Lucent and Ascend "Free" RADIUS server Product Status
Prior to the Lucent Technologies acquisition of Ascend Communications and Livingston Enterprises, both companies distributed RADIUS servers at no cost to their customers. The initial Livingston server was RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server was based on the Livingston 1.16 product with the most recent version being released in June 1998. Lucent Technologies no longer distributes these products, and does not provide any support services for these products.
Both of these products were distributed as-is without warranty, under the BSD "Open Source" license. Under this license, other parties are free to develop and release other products and versions. However, as noted in the license terms, Lucent Technologies can not and does not assume any responsibility for any releases, present or future, based on these products.
Patches designed to specifically address the problems outlined in the CERT bulletins VU#936683 VU#589523 have been made available to the public by Simon Horman . For more information visit ftp://ftp.vergenet.net/pub/radius
The Lucent Technologies replacement product is NavisRadius 4.x. NavisRadius is a fully supported commercial product. Visit the product web site at http://www.lucentradius.com for more information.
NavisRadius Product Management
Network Operations Software
The vendor has not provided us with any further information regarding this vulnerability.
Please note that Lucent purchased both Livingston and Ascend. NavisRadius 4.x is reported as not vulnerable to this vulnerablility.
If you have feedback, comments, or additional information about this vulnerability, please send us email.