Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2579
HistoryMar 05, 2002 - 12:00 a.m.

Vulnerabilities in Various Implementations of the RADIUS Protocol

2002-03-0500:00:00
vulners.com
13
JSON

CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the
RADIUS Protocol

Original release date: March 4, 2002
Last revised: –
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

Systems running any of the following RADIUS implementations:

 * Ascend RADIUS versions 1.16 and prior
 * Cistron RADIUS versions 1.6.5 and prior
 * FreeRADIUS versions 0.3 and prior
 * GnuRADIUS versions 0.95 and prior
 * ICRADIUS versions 0.18.1 and prior
 * Livingston RADIUS versions 2.1 and earlier
 * RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior
 * RADIUSClient versions 0.3.1 and prior
 * XTRADIUS 1.1-pre1 and prior
 * YARD RADIUS 1.0.19 and prior

Overview

Remote Authentication Dial In User Service (RADIUS) servers are used
for authentication, authorization and accounting for terminals that
speak the RADIUS protocol. Multiple vulnerabilities have been
discovered in several implementations of the RADIUS protocol.

I. Description

Two vulnerabilities in various implementations of RADIUS clients and
servers have been reported to several vendors and the CERT/CC. They
are remotely exploitable, and on most systems result in a denial of
service. VU#589523 may allow the execution of code if the attacker has
knowledge of the shared secret.

VU#589523 - Multiple implementations of the RADIUS protocol contain a
digest calculation buffer overflow

 Multiple  implementations  of  the RADIUS protocol contain a buffer
 overflow in the function that calculates message digests.

 During  the  message  digest  calculation,  a string containing the
 shared  secret  is  concatenated  with  a  packet  received without
 checking  the  size of the target buffer. This makes it possible to
 overflow  the  buffer  with  shared secret data. This can lead to a
 denial of service against the server. If the shared secret is known
 by the attacker, then it may be possible to use this information to
 execute  arbitrary  code  with  the privileges of the victim RADIUS
 server  or  client,  usually  root. It should be noted that gaining
 knowledge of the shared secret is not a trivial task.

 Systems Affected by VU#589523

 * Ascend RADIUS versions 1.16 and prior
 * Cistron RADIUS versions 1.6.4 and prior
 * FreeRADIUS versions 0.3 and prior
 * GnuRADIUS versions 0.95 and prior
 * ICRADIUS versions 0.18.1 and prior
 * Livingston RADIUS versions 2.1 and earlier
 * RADIUS (commonly known as Lucent RADIUS) versions 2.1 and prior
 * RADIUSClient versions 0.3.1 and prior
 * YARD RADIUS 1.0.19 and prior
 * XTRADIUS 1.1-pre1 and prior

VU#936683 - Multiple implementations of the RADIUS protocol do not
adequately validate the vendor-length of vendor-specific attributes.

 Various   RADIUS   servers   and  clients  permit  the  passing  of
 vendor-specific     and     user-specific    attributes.    Several
 implementations  of  RADIUS  fail  to  check  the  vendor-length of
 vendor-specific  attributes.  It  is  possible to cause a denial of
 service  against  RADIUS  servers  with a malformed vendor-specific
 attribute.

 RADIUS  servers  and  clients  fail  to  validate the vendor-length
 inside  vendor-specific  attributes. The vendor-length shouldn't be
 less than 2. If vendor-length is less than 2, the RADIUS server (or
 client)  calculates  the attribute length as a negative number. The
 attribute  length is then used in various functions. In most RADIUS
 servers  the  function that performs this calculation is rad_recv()
 or  radrecv(). Some applications may use the same logic to validate
 user-specific attributes and be vulnerable via the same method.

 Systems Affected by VU#936683

 * Cistron RADIUS versions 1.6.5 and prior
 * FreeRADIUS versions 0.3 and prior
 * ICRADIUS versions 0.18.1 and prior
 * Livingston RADIUS versions 2.1 and earlier
 * YARD RADIUS 1.0.19 and prior
 * XTRADIUS 1.1-pre1 and prior

II. Impact

Both of the vulnerabilities allow an attacker can cause a denial of
service of the RADIUS server. On some systems, VU#589523 may allow the
execution of code if the attacker has knowledge of the shared secret.

III. Solution

Apply a patch, or upgrade to the version specified by your vendor.
Block packets to the RADIUS server at the firewall

Limit access to the RADIUS server to those addresses which are
approved to authenticate to the RADIUS server. Note that this does not
protect your server from attacks originating from these addresses.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.

Apple

 Mac  OS X and Mac OS X Server -- Not vulnerable since RADIUS is not
 shipped with those products.

Cisco

 Cisco  Systems  has  reviewed the following products that implement
 RADIUS  with regards to this vulnerability, and has determined that
 the  following  are  NOT vulnerable to this issue; Cisco IOS, Cisco
 Catalyst OS, Cisco Secure PIX firewall, Cisco Secure Access Control
 System  for  Windows,  Cisco  Aironet,  Cisco Access Registrar, and
 Cisco Resource Pooling Management Service. At this time, we are not
 aware  of  any  Cisco  products  that  are vulnerable to the issues
 discussed in this report.

Cistron

 You state 2 vulnerabilities:
1. Digest Calculation Buffer Overflow Vulnerability Cistron Radius up
   to and including 1.6.4 is vulnerable
2. Invalid  attribute length calculation on malformed Vendor-Specific
   attr. Cistron Radius up to and including 1.6.5 is vulnerable

 Today  I  have  released  version  1.6.6, which also fixes (2). The
 homepage  is  http://www.radius.cistron.nl/  on  which you can also
 find   the   ChangeLog.   An  announcement  to  the  cistron-radius
 mailinglist was also made today.

 So everybody should upgrade to 1.6.6.

FreeBSD

 FreeBSD  versions  prior to 4.5-RELEASE (which is shipping today or
 tomorrow  or  so)  do contain some of the RADIUS packages mentioned
 below:  radiusd-cistron,  freeradius,  ascend-radius, icradius, and
 radiusclient.  However, 4.5-RELEASE will not ship with any of these
 RADIUS   packages,   except   radiusclient.  Also,  note  that  the
 information  you [CERT/CC] have forwarded previously indicates that
 neither   Merit   RADIUS   (radius-basic)   nor   radiusclient  are
 vulnerable.

Fujitsu

 Fujitsu's  UXP/V  operating  system is not vulnerable because UXP/V
 does not support the Radius functionality.

GnuRADIUS

 The bug was fixed in version 0.96.

Hewlett-Packard

 We have tested our Version of RADIUS, and we are NOT vulnerable.

IBM

 IBM's  AIX  operating system, all versions, is not vulnerable as we
 do not ship the RADIUS project with AIX.

Juniper Networks

 Juniper  products  have  been  tested  and are not affected by this
 vulnerability.

Lucent Technologies, Inc.

 Lucent and Ascend "Free" RADIUS server Product Status
 
 Reiteration of product End of Life
 February 14, 2002
 
 The  purpose  of  this  announcement is to make official the end of
 life of products based on the Livingston Enterprises RADIUS server,
 and to reiterate the terms of the original license.
 
 Prior to the Lucent Technologies acquisition of Ascend Communications
 and Livingston Enterprises, both companies distributed RADIUS servers
 at no cost to their customers. The initial Livingston server was   
 RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server
 was based on the Livingston 1.16 product with the most recent version
 being released in June 1998.  Lucent Technologies no longer
 distributes these products, does not provide any support services for
 these products, and has not done so for some time.
 
 All of these products were distributed as-is without warranty,
 under the BSD "Open Source" license with the following terms:
 
 This software is provided by the copyright holders and contributors
 ``as is'' and any express or implied warranties, including, but not
 limited to, the implied warranties of merchantability and fitness for
 a particular purpose are disclaimed. In no event shall the copyright
 holder or contributors be liable for any direct, indirect,
 incidental, special, exemplary, or consequential damages (including,
 but not limited to, procurement of substitute goods or services;
 loss of use, data, or profits; or business interruption) however
 caused and on any theory of liability, whether in contract, strict
 liability, or tort (including negligence or otherwise) arising in any
 way out of the use of this software, even if advised of the
 possibility of such damage.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:
 
 *  Redistributions  of  source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
 
 * Redistributions in binary form must reproduce the above copyright
 notice, this list of conditions and the following disclaimer in the  
 documentation   and/or  other  materials  provided  with  the
 distribution.
 
 *  All  advertising  materials  mentioning  features or use of this
 software must display the following acknowledgement:
 This product includes software developed by Lucent Technologies and
 its contributors.
 
 *  Neither  the  name  of the copyright holder nor the names of its 
 contributors  may  be  used  to endorse or promote products derived
 from this software without specific prior written permission.

 Under  this  license, other parties are free to develop and release
 other products and versions. However, as noted in the license terns,
 Lucent Technologies can not and does not assume any responsibility   
 for any releases, present or future, based on these products.
 
 Replacement Product
 
 The  replacement product is NavisRadius 4.x. NavisRadius is a fully
 supported  commercial  product  currently  available  from  Lucent
 Technologies.  Please  visit  the  NavisRadius  product web site at
 http://www.lucentradius.com  for  product  information  and  free  
 evaluation copies.
 
 Richard Perlman
 NavisRadius Product Management
 Network Operations Software
 [email protected]
 +1 510-747-5650

Microsoft

 We've  completed  our  investigation  into  this issue based on the
 information  provided  and  have  determined  that  no  version  of
 Microsoft IAS is susceptible to either vulnerability.

NetBSD

 Some  of  the  affected  radius  daemons  are available from NetBSD
 pkgsrc.  It  is  highly  advisable  that  you  update to the latest
 versions     available     from     pkgsrc.    Also    note    that
 pkgsrc/security/audit-packages  can  be used to notify you when new
 pkgsrc related security issues are announced.

Process Software

 MultiNet and TCPware do not provide a RADIUS implementation.

RADIUS (previously known as Lucent RADIUS)

 I wish to advise that Lucent Radius 2.1 is vulnerable to VU#589523,
 but is not vulnerable to VU#936683.

 I  have  made  an  unofficial  patch  to  this code to resolve this
 problem.  It will be released in ftp://ftp.vergenet.net/pub/radius/
 where previous patches to Radius by myself are available.

RADIUSClient

 I've  just  uploaded  version  0.3.2 of the radiusclient library to
 ftp://ftp.cityline.net/pub/radiusclient/radiusclient-0.3.2.tar.gz
 which contains a fix for the reported buffer overflow.

Red Hat

 We  do  not  ship  any  radius  software as part of any of our main
 operating   system.   However,  Cistron  RADIUS  was  part  of  our
 PowerTools  add-on  software CD from versions 5.2 through 7.1. Thus
 while  not installed by default, some users of Red Hat Linux may be
 using  Cistron  RADIUSD.  Errata packages that fix this problem and
 our  advisory  will be available shortly on our web site at the URL
 below.  At  the same time users of the Red Hat Network will be able
 to update their systems to patched versions using the up2date tool.

 http://www.redhat.com/support/errata/RHSA-2002-030.html

SCO

 The  Caldera NON-Linux operating systems: OpenServer, UnixWare, and
 Open UNIX, do not ship Radius servers or clients.

SGI

 SGI  does  not  ship  with a RADIUS server or client, so we are not
 vulnerable to these issues.

Wind River Systems

 The  current RADIUS client product from Wind River Systems, WindNet
 RADIUS  1.1,  is  not susceptible to VU#936683 and VU#589523 in our
 internal testing.

 VU#936683  -  WindNet  RADIUS  will  pass  the  packet  up  to  the
 application.  The  application  may need to be aware of the invalid
 attribute length.

 VU#589523 - WindNet RADIUS will drop the packet overflow.

 Please  contact Wind River support at [email protected] or call
 (800)  458-7767  with  any  test  reports  related to VU#936683 and
 VU#589523.

XTRADIUS

 We  are trying to relase a new and fixed version of xtradius by the
 end  of the month (version 1.2.1).. Right now the new version is on
 the CVS and we are testing it...

YARD RADIUS

 Current  version 1.0.19 of Yardradius (which is derived from Lucent
 2.1)  seems  suffering  both the problems. I think I will release a
 new  version  (1.0.20)  which  solves those buffer overflows before
 your suggested date [3/4/2002].

Our thanks to 3APA3A <[email protected]> and Joshua Hill and for
their cooperation, reporting and analysis of this vulnerability.

Feedback about this Advisory can be sent to the author,
Jason A. Rafail.

Appendix B. - References

1. http://www.kb.cert.org/vuls/id/589523
2. http://www.kb.cert.org/vuls/id/936683
3. http://www.security.nnov.ru/advisories/radius.asp
4. http://www.untruth.org/~josh/security/radius 
5. http://www.securityfocus.com/bid/3530

This document is available from:
http://www.cert.org/advisories/CA-2002-06.html

CERT/CC Contact Information

Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,
send email to [email protected]. Please include in the body of your
message

subscribe cert-advisory

  • "CERT" and "CERT Coordination Center" are registered in the U.S.
    Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2002 Carnegie Mellon University.

Revision History
March 04, 2002: Initial release

JSON