Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the Vendor-Length of the Vendor-Specific attribute. It's possible to cause a denial of service against RADIUS servers with a malformed Vendor-Specific attribute.
RADIUS servers and clients fail to validate the Vendor-Length inside Vendor-Specific attributes. The Vendor-Length shouldn't be less than 2. If Vendor-Length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. For example, YARDRadius contains this vulnerability in the handling of the User-Specific attributes only.
It is possible to cause a denial of service against the RADIUS server with a malformed Vendor-Specific attribute. Though unlikely, if a RADIUS client processes the Vendor-Specific attribute contained in a server response, then the client may also be vulnerable.
Apply a patch or upgrade to the version specified by your vendor.
Open System Consultants Affected
Red Hat Affected
Secure Computing Corporation Affected
YARD RADIUS Affected
Alcatel Not Affected
Apple Not Affected
Athena Online Not Affected
Cisco Not Affected
Fujitsu Not Affected
Funk Software Not Affected
Hewlett Packard Not Affected
IBM Not Affected
Interlink Networks Not Affected
Juniper Networks Not Affected
Microsoft Not Affected
Process Software Not Affected
RADIUS Not Affected
RADIUSClient Not Affected
SCO Not Affected
SGI Not Affected
Vircom Not Affected
Wind River Systems Not Affected
Our thanks to 3APA3A <3APA3A@SECURITY.NNOV.RU> for the report and analysis of this vulnerability.
This document was written by Jason Rafail and is based on information provided by 3APA3A.