Lucent Information for VU#936683

Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of the vendor-specific attributes



Vendor Statement

Lucent and Ascend "Free" RADIUS server Product Status

Prior to the Lucent Technologies acquisition of Ascend Communications and Livingston Enterprises, both companies distributed RADIUS servers at no cost to their customers. The initial Livingston server was RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server was based on the Livingston 1.16 product with the most recent version being released in June 1998. Lucent Technologies no longer distributes these products, and does not provide any support services for these products.

Both of these products were distributed as-is without warranty, under the BSD "Open Source" license. Under this license, other parties are free to develop and release other products and versions. However, as noted in the license terms, Lucent Technologies can not and does not assume any responsibility for any releases, present or future, based on these products.

Product Patches

Patches designed to specifically address the problems outlined in the CERT bulletins VU#936683 VU#589523 have been made available to the public by Simon Horman . For more information visit

Replacement Product

The Lucent Technologies replacement product is NavisRadius 4.x. NavisRadius is a fully supported commercial product. Visit the product web site at for more information.

Richard Perlman
NavisRadius Product Management
Network Operations Software

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



Please note that Lucent purchased both Livingston and Ascend. NavisRadius 4.x is reported as not vulnerable to this vulnerablility.

If you have feedback, comments, or additional information about this vulnerability, please send us email.