Vulnerability Note VU#936683

Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of the vendor-specific attributes

Original Release date: 04 Mar 2002 | Last revised: 16 Apr 2002


Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the Vendor-Length of the Vendor-Specific attribute. It's possible to cause a denial of service against RADIUS servers with a malformed Vendor-Specific attribute.


RADIUS servers and clients fail to validate the Vendor-Length inside Vendor-Specific attributes. The Vendor-Length shouldn't be less than 2. If Vendor-Length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. For example, YARDRadius contains this vulnerability in the handling of the User-Specific attributes only.


It is possible to cause a denial of service against the RADIUS server with a malformed Vendor-Specific attribute. Though unlikely, if a RADIUS client processes the Vendor-Specific attribute contained in a server response, then the client may also be vulnerable.


Apply a patch or upgrade to the version specified by your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CistronAffected30 Jan 200219 Feb 2002
ConectivaAffected-07 Mar 2002
FreeBSDAffected03 Jan 200219 Feb 2002
FreeRADIUSAffected26 Feb 200227 Feb 2002
GnuRADIUSAffected-20 Feb 2002
ICRADIUSAffected30 Jan 200220 Feb 2002
LucentAffected30 Jan 200205 Mar 2002
NbaseAffected05 Mar 200212 Apr 2002
NETBSDAffected03 Jan 200220 Feb 2002
Open System ConsultantsAffected-12 Mar 2002
Red HatAffected03 Jan 200220 Feb 2002
Secure Computing CorporationAffected-16 Apr 2002
XTRADIUSAffected30 Jan 200220 Feb 2002
YARD RADIUSAffected30 Jan 200220 Feb 2002
AlcatelNot Affected-02 Apr 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Our thanks to 3APA3A <3APA3A@SECURITY.NNOV.RU> for the report and analysis of this vulnerability.

This document was written by Jason Rafail and is based on information provided by 3APA3A.

Other Information

  • CVE IDs: Unknown
  • CERT Advisory: CA-2002-06
  • Date Public: 29 Nov 2001
  • Date First Published: 04 Mar 2002
  • Date Last Updated: 16 Apr 2002
  • Severity Metric: 1.77
  • Document Revision: 18


If you have feedback, comments, or additional information about this vulnerability, please send us email.