Multiple implementations of the RADIUS protocol contain a buffer overflow in the function that calculates message digests.
During the message digest calculation, a string containing the shared secret is concatenated with a packet received without checking the size of the target buffer. This makes it possible to overflow the buffer with shared secret data. This can lead to denial of service against the server. If the shared secret is known by the attacker, then it may be possible to use this information to execute arbitrary code with the privileges of the victim RADIUS server or client, usually root. It should be noted that gaining knowledge of the shared secret is not a trivial task.
Certain implementations of RADIUS vulnerable to VU#589523 may allow the execution of code if multiple packets are processed in the same thread, and the last 1 or 2 bytes of the shared secret is with in a certain range. In this case, specific knowledge of the shared secret is not required.
Without knowledge of the shared secret, an attacker can cause a denial of service against the server, or the client via the server response. With knowledge of the shared secret, an attacker may be able to execute arbitrary code. In certain implementations, specific knowledge of the shared secret is not required to execute arbitrary code if the last 1 or 2 bytes of the shared secret are with in a certain range.
Apply a patch or upgrade to the version specified by your vendor.
Implementing a firewall to filter packets from outside of your network perimeter from being sent to the RADIUS server may help reduce the risk of attack. Note that this is not sufficient to prevent the vulnerability from being exploited by users who are within your network perimeter.
Secure Computing Corporation
Open System Consultants
Wind River Systems
Our thanks to Joshua Hill <email@example.com> and 3APA3A <3APA3A@SECURITY.NNOV.RU> for their report and analysis of this vulnerability.
This document was written by Jason Rafail and is based on information provided by 3APA3A.