Multiple implementations of the RADIUS protocol contain a buffer overflow in the function that calculates message digests.
During the message digest calculation, a string containing the shared secret is concatenated with a packet received without checking the size of the target buffer. This makes it possible to overflow the buffer with shared secret data. This can lead to denial of service against the server. If the shared secret is known by the attacker, then it may be possible to use this information to execute arbitrary code with the privileges of the victim RADIUS server or client, usually root. It should be noted that gaining knowledge of the shared secret is not a trivial task.
Certain implementations of RADIUS vulnerable to VU#589523 may allow the execution of code if multiple packets are processed in the same thread, and the last 1 or 2 bytes of the shared secret is with in a certain range. In this case, specific knowledge of the shared secret is not required.
Without knowledge of the shared secret, an attacker can cause a denial of service against the server, or the client via the server response. With knowledge of the shared secret, an attacker may be able to execute arbitrary code. In certain implementations, specific knowledge of the shared secret is not required to execute arbitrary code if the last 1 or 2 bytes of the shared secret are with in a certain range.
Apply a patch or upgrade to the version specified by your vendor.
Implementing a firewall to filter packets from outside of your network perimeter from being sent to the RADIUS server may help reduce the risk of attack. Note that this is not sufficient to prevent the vulnerability from being exploited by users who are within your network perimeter.
Red Hat Affected
Secure Computing Corporation Affected
YARD RADIUS Affected
Alcatel Not Affected
Apple Not Affected
Athena Online Not Affected
Cisco Not Affected
Fujitsu Not Affected
Funk Software Not Affected
Hewlett Packard Not Affected
IBM Not Affected
Interlink Networks Not Affected
Juniper Networks Not Affected
Microsoft Not Affected
Open System Consultants Not Affected
Process Software Not Affected
Riverstone Networks Not Affected
SCO Not Affected
SGI Not Affected
Wind River Systems Not Affected
Our thanks to Joshua Hill
This document was written by Jason Rafail and is based on information provided by 3APA3A.