Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the Vendor-Length of the Vendor-Specific attribute. It's possible to cause a denial of service against RADIUS servers with a malformed Vendor-Specific attribute.
RADIUS servers and clients fail to validate the Vendor-Length inside Vendor-Specific attributes. The Vendor-Length shouldn't be less than 2. If Vendor-Length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. For example, YARDRadius contains this vulnerability in the handling of the User-Specific attributes only.
It is possible to cause a denial of service against the RADIUS server with a malformed Vendor-Specific attribute. Though unlikely, if a RADIUS client processes the Vendor-Specific attribute contained in a server response, then the client may also be vulnerable.
Apply a patch or upgrade to the version specified by your vendor.
Vendor| Status| Date Notified| Date Updated
Cistron| | 30 Jan 2002| 19 Feb 2002
Conectiva| | -| 07 Mar 2002
FreeBSD| | 03 Jan 2002| 19 Feb 2002
FreeRADIUS| | 26 Feb 2002| 27 Feb 2002
GnuRADIUS| | -| 20 Feb 2002
ICRADIUS| | 30 Jan 2002| 20 Feb 2002
Lucent| | 30 Jan 2002| 05 Mar 2002
Nbase| | 05 Mar 2002| 12 Apr 2002
NETBSD| | 03 Jan 2002| 20 Feb 2002
Open System Consultants| | -| 12 Mar 2002
Red Hat| | 03 Jan 2002| 20 Feb 2002
Secure Computing Corporation| | -| 16 Apr 2002
XTRADIUS| | 30 Jan 2002| 20 Feb 2002
YARD RADIUS| | 30 Jan 2002| 20 Feb 2002
Alcatel| | -| 02 Apr 2002
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Our thanks to 3APA3A <3APA3A@SECURITY.NNOV.RU> for the report and analysis of this vulnerability.
This document was written by Jason Rafail and is based on information provided by 3APA3A.