Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of the vendor-specific attributes

2002-03-04T00:00:00
ID VU:936683
Type cert
Reporter CERT
Modified 2002-04-16T00:00:00

Description

Overview

Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the Vendor-Length of the Vendor-Specific attribute. It's possible to cause a denial of service against RADIUS servers with a malformed Vendor-Specific attribute.

Description

RADIUS servers and clients fail to validate the Vendor-Length inside Vendor-Specific attributes. The Vendor-Length shouldn't be less than 2. If Vendor-Length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. For example, YARDRadius contains this vulnerability in the handling of the User-Specific attributes only.


Impact

It is possible to cause a denial of service against the RADIUS server with a malformed Vendor-Specific attribute. Though unlikely, if a RADIUS client processes the Vendor-Specific attribute contained in a server response, then the client may also be vulnerable.


Solution

Apply a patch or upgrade to the version specified by your vendor.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Cistron| | 30 Jan 2002| 19 Feb 2002
Conectiva| | -| 07 Mar 2002
FreeBSD| | 03 Jan 2002| 19 Feb 2002
FreeRADIUS| | 26 Feb 2002| 27 Feb 2002
GnuRADIUS| | -| 20 Feb 2002
ICRADIUS| | 30 Jan 2002| 20 Feb 2002
Lucent| | 30 Jan 2002| 05 Mar 2002
Nbase| | 05 Mar 2002| 12 Apr 2002
NETBSD| | 03 Jan 2002| 20 Feb 2002
Open System Consultants| | -| 12 Mar 2002
Red Hat| | 03 Jan 2002| 20 Feb 2002
Secure Computing Corporation| | -| 16 Apr 2002
XTRADIUS| | 30 Jan 2002| 20 Feb 2002
YARD RADIUS| | 30 Jan 2002| 20 Feb 2002
Alcatel| | -| 02 Apr 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.freeradius.org>
  • <http://online.securityfocus.com/bid/4230>

Credit

Our thanks to 3APA3A <3APA3A@SECURITY.NNOV.RU> for the report and analysis of this vulnerability.

This document was written by Jason Rafail and is based on information provided by 3APA3A.

Other Information

  • CVE IDs: Unknown
  • CERT Advisory: CA-2002-06
  • Date Public: 29 Nov 2001
  • Date First Published: 04 Mar 2002
  • Date Last Updated: 16 Apr 2002
  • Severity Metric: 1.77
  • Document Revision: 18