{"id": "RHSA-2004:609", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2004:609) freeradius security update", "description": "FreeRADIUS is a high-performance and highly configurable free RADIUS server\ndesigned to allow centralized authentication and authorization for a network.\n\nA number of flaws were found in FreeRADIUS versions prior to 1.0.1. An\nattacker who is able to send packets to the server could construct\ncarefully constructed packets in such a way as to cause the server to\nconsume memory or crash. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the names CAN-2004-0938, CAN-2004-0960, and\nCAN-2004-0961 to these issues.\n\nUsers of FreeRADIUS should update to these erratum packages that contain\nFreeRADIUS 1.0.1, which is not vulnerable to these issues and also corrects\na number of bugs.", "published": "2004-11-12T05:00:00", "modified": "2017-07-29T20:33:47", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "https://access.redhat.com/errata/RHSA-2004:609", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2004-0938", "CVE-2004-0960", "CVE-2004-0961"], "lastseen": "2019-05-29T14:34:47", "viewCount": 1, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-05-29T14:34:47", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0938", "CVE-2004-0961", "CVE-2004-0960"]}, {"type": "osvdb", "idList": ["OSVDB:11807", "OSVDB:11806", "OSVDB:10178"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231065517", "OPENVAS:54685", "OPENVAS:52343", "OPENVAS:65517"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2004-609.NASL", "FREEBSD_PKG_20DFD1341D3911D99BE9000C6E8F12EF.NASL", "GENTOO_GLSA-200409-29.NASL"]}, {"type": "gentoo", "idList": ["GLSA-200409-29"]}, {"type": "freebsd", "idList": ["20DFD134-1D39-11D9-9BE9-000C6E8F12EF"]}, {"type": "suse", "idList": ["SUSE-SA:2004:038", "SUSE-SA:2004:039"]}, {"type": "cert", "idList": ["VU:541574"]}], "modified": "2019-05-29T14:34:47", "rev": 2}, "vulnersScore": 6.2}, "affectedPackage": [{"OS": "RedHat", "OSVersion": "any", "arch": "ia64", "packageName": "freeradius", "packageVersion": "1.0.1-1.RHEL3", "packageFilename": "freeradius-1.0.1-1.RHEL3.ia64.rpm", "operator": "lt"}]}

{"cve": [{"lastseen": "2021-02-02T05:22:59", "description": "FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet.", "edition": 6, "cvss3": {}, "published": "2004-11-03T05:00:00", "title": "CVE-2004-0938", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0938"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:freeradius:freeradius:1.0.1"], "id": "CVE-2004-0938", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0938", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:freeradius:freeradius:1.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:22:59", "description": "Memory leak in FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (memory exhaustion) via a series of Access-Request packets with (1) Ascend-Send-Secret, (2) Ascend-Recv-Secret, or (3) Tunnel-Password attributes.", "edition": 4, "cvss3": {}, "published": "2005-02-09T05:00:00", "title": "CVE-2004-0961", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0961"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:freeradius:freeradius:0.8", "cpe:/a:freeradius:freeradius:0.8.1", "cpe:/a:freeradius:freeradius:0.2", "cpe:/a:freeradius:freeradius:0.9", "cpe:/o:redhat:enterprise_linux:3.0", "cpe:/o:redhat:fedora_core:core_2.0", "cpe:/a:freeradius:freeradius:1.0.0", "cpe:/a:freeradius:freeradius:0.5", "cpe:/a:freeradius:freeradius:0.4", "cpe:/a:freeradius:freeradius:0.9.3", "cpe:/a:freeradius:freeradius:0.9.2", "cpe:/a:freeradius:freeradius:0.3", "cpe:/a:freeradius:freeradius:0.9.1"], "id": "CVE-2004-0961", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0961", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:redhat:fedora_core:core_2.0:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.3:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:3.0:*:advanced_server:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:3.0:*:enterprise_server:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.2:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.4:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.8:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:22:59", "description": "FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (core dump) via malformed USR vendor-specific attributes (VSA) that cause a memcpy operation with a -1 argument.", "edition": 4, "cvss3": {}, "published": "2005-02-09T05:00:00", "title": "CVE-2004-0960", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0960"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:freeradius:freeradius:0.8", "cpe:/a:freeradius:freeradius:0.8.1", "cpe:/a:freeradius:freeradius:0.2", "cpe:/a:freeradius:freeradius:0.9", "cpe:/o:redhat:enterprise_linux:3.0", "cpe:/o:redhat:fedora_core:core_2.0", "cpe:/a:freeradius:freeradius:1.0.0", "cpe:/a:freeradius:freeradius:0.5", "cpe:/a:freeradius:freeradius:0.4", "cpe:/a:freeradius:freeradius:0.9.3", "cpe:/a:freeradius:freeradius:0.9.2", "cpe:/a:freeradius:freeradius:0.3", "cpe:/a:freeradius:freeradius:0.9.1"], "id": "CVE-2004-0960", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0960", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:redhat:fedora_core:core_2.0:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.3:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:3.0:*:advanced_server:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.9.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:3.0:*:enterprise_server:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.2:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.4:*:*:*:*:*:*:*", "cpe:2.3:a:freeradius:freeradius:0.8:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2018-04-06T11:37:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n freeradius\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5017148 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:136141256231065517", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065517", "type": "openvas", "title": "SLES9: Security update for freeradius", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5017148.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for freeradius\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n freeradius\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5017148 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65517\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2004-0938\", \"CVE-2004-0960\", \"CVE-2004-0961\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"SLES9: Security update for freeradius\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~0.9.3~106.6\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-26T08:55:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n freeradius\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5017148 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:65517", "href": "http://plugins.openvas.org/nasl.php?oid=65517", "type": "openvas", "title": "SLES9: Security update for freeradius", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5017148.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for freeradius\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n freeradius\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5017148 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65517);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2004-0938\", \"CVE-2004-0960\", \"CVE-2004-0961\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"SLES9: Security update for freeradius\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"freeradius\", rpm:\"freeradius~0.9.3~106.6\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-19T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52343", "href": "http://plugins.openvas.org/nasl.php?oid=52343", "type": "openvas", "title": "FreeBSD Ports: freeradius", "sourceData": "#\n#VID 20dfd134-1d39-11d9-9be9-000c6e8f12ef\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: freeradius\n\nCVE-2004-0938\nFreeRADIUS before 1.0.1 allows remote attackers to cause a denial of\nservice (server crash) by sending an Ascend-Send-Secret attribute\nwithout the required leading packet.\n\nCVE-2004-0960\nFreeRADIUS before 1.0.1 allows remote attackers to cause a denial of\nservice (core dump) via malformed USR vendor-specific attributes (VSA)\nthat cause a memcpy operation with a -1 argument.\n\nCVE-2004-0961\nMemory leak in FreeRADIUS before 1.0.1 allows remote attackers to\ncause a denial of service (memory exhaustion) via a series of\nAccess-Request packets with (1) Ascend-Send-Secret, (2)\nAscend-Recv-Secret, or (3) Tunnel-Password attributes.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.securitytracker.com/alerts/2004/Sep/1011364.html\nhttp://www.vuxml.org/freebsd/20dfd134-1d39-11d9-9be9-000c6e8f12ef.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52343);\n script_version(\"$Revision: 4112 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-19 15:17:59 +0200 (Mon, 19 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0938\", \"CVE-2004-0960\", \"CVE-2004-0961\");\n script_bugtraq_id(11222);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"FreeBSD Ports: freeradius\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"freeradius\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.8.0\")>=0 && revcomp(a:bver, b:\"1.0.1\")<0) {\n txt += 'Package freeradius version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200409-29.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54685", "href": "http://plugins.openvas.org/nasl.php?oid=54685", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200409-29 (FreeRADIUS)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple Denial of Service vulnerabilities were found and fixed in\nFreeRADIUS.\";\ntag_solution = \"All FreeRADIUS users should upgrade to the latest version:\n\n # emerge sync\n\n # emerge -pv '>=net-dialup/freeradius-1.0.1'\n # emerge '>=net-dialup/freeradius-1.0.1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200409-29\nhttp://bugs.gentoo.org/show_bug.cgi?id=60587\nhttp://www.freeradius.org/security.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200409-29.\";\n\n \n\nif(description)\n{\n script_id(54685);\n script_cve_id(\"CVE-2004-0938\",\"CVE-2004-0960\",\"CVE-2004-0961\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200409-29 (FreeRADIUS)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-dialup/freeradius\", unaffected: make_list(\"ge 1.0.1\"), vulnerable: make_list(\"lt 1.0.1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:12570](https://secuniaresearch.flexerasoftware.com/advisories/12570/)\n[Secunia Advisory ID:13193](https://secuniaresearch.flexerasoftware.com/advisories/13193/)\n[Related OSVDB ID: 11807](https://vulners.com/osvdb/OSVDB:11807)\nRedHat RHSA: RHSA-2004:609\n[CVE-2004-0938](https://vulners.com/cve/CVE-2004-0938)\n[CVE-2004-0960](https://vulners.com/cve/CVE-2004-0960)\n[CVE-2004-0961](https://vulners.com/cve/CVE-2004-0961)\nCERT VU: 541574\n", "modified": "2004-11-15T05:38:12", "published": "2004-11-15T05:38:12", "id": "OSVDB:11806", "href": "https://vulners.com/osvdb/OSVDB:11806", "title": "FreeRADIUS Access-Request Packet Memory Leak DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "edition": 1, "description": "## Vulnerability Description\nFreeRadius contains a flaw that may allow a remote denial of service. The issue is triggered when the server recieves a packet with a malformed USR VSA which may cause it to call memcpy with a length value of -1. memcpy interprets this as 0xffffffff which causes it to enter an infinite loop, and will result in loss of availability for the service.\n## Solution Description\nUpgrade to version 1.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nFreeRadius contains a flaw that may allow a remote denial of service. The issue is triggered when the server recieves a packet with a malformed USR VSA which may cause it to call memcpy with a length value of -1. memcpy interprets this as 0xffffffff which causes it to enter an infinite loop, and will result in loss of availability for the service.\n## References:\n[Vendor Specific Advisory URL](http://security.gentoo.org/glsa/glsa-200409-29.xml)\n[Vendor Specific Advisory URL](http://www.freeradius.org/security.html)\n[Secunia Advisory ID:12570](https://secuniaresearch.flexerasoftware.com/advisories/12570/)\n[Secunia Advisory ID:13193](https://secuniaresearch.flexerasoftware.com/advisories/13193/)\n[Related OSVDB ID: 11806](https://vulners.com/osvdb/OSVDB:11806)\nRedHat RHSA: RHSA-2004:609\nISS X-Force ID: 17440\n[CVE-2004-0938](https://vulners.com/cve/CVE-2004-0938)\n[CVE-2004-0960](https://vulners.com/cve/CVE-2004-0960)\n[CVE-2004-0961](https://vulners.com/cve/CVE-2004-0961)\nCERT VU: 541574\nBugtraq ID: 11222\n", "modified": "2004-09-15T05:38:12", "published": "2004-09-15T05:38:12", "href": "https://vulners.com/osvdb/OSVDB:11807", "id": "OSVDB:11807", "title": "FreeRADIUS Malformed USR VSA DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:05", "bulletinFamily": "software", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "edition": 1, "description": "## Vulnerability Description\nFreeRADIUS contains a flaw that may allow a remote denial of service. The issue is triggered when an Ascend-Send-Secret packet without an original packet occurs, and will result in loss of availability for the service.\n## Solution Description\nUpgrade to version 1.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nFreeRADIUS contains a flaw that may allow a remote denial of service. The issue is triggered when an Ascend-Send-Secret packet without an original packet occurs, and will result in loss of availability for the service.\n## References:\nVendor URL: http://www.freeradius.org/\nVendor Specific Solution URL: http://www.freeradius.org/security.html\n[Vendor Specific Advisory URL](http://security.gentoo.org/glsa/glsa-200409-29.xml)\nSecurity Tracker: 1011364\n[Secunia Advisory ID:12570](https://secuniaresearch.flexerasoftware.com/advisories/12570/)\n[Secunia Advisory ID:13193](https://secuniaresearch.flexerasoftware.com/advisories/13193/)\n[Related OSVDB ID: 11807](https://vulners.com/osvdb/OSVDB:11807)\n[Related OSVDB ID: 11806](https://vulners.com/osvdb/OSVDB:11806)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0596.html\nISS X-Force ID: 17440\n[CVE-2004-0938](https://vulners.com/cve/CVE-2004-0938)\n[CVE-2004-0960](https://vulners.com/cve/CVE-2004-0960)\n[CVE-2004-0961](https://vulners.com/cve/CVE-2004-0961)\nBugtraq ID: 11222\n", "modified": "2004-09-20T00:00:00", "published": "2004-09-20T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:10178", "id": "OSVDB:10178", "type": "osvdb", "title": "FreeRADIUS Ascend-Send-Secret Processing Remote DoS", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T10:40:31", "description": "A remote attacker may be able to crash the freeRADIUS Server due to\nthree independent bugs in the function which does improper checking\nvalues while processing RADIUS attributes.", "edition": 25, "published": "2005-07-13T00:00:00", "title": "FreeBSD : freeradius -- denial-of-service vulnerability (20dfd134-1d39-11d9-9be9-000c6e8f12ef)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "modified": "2005-07-13T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:freeradius"], "id": "FREEBSD_PKG_20DFD1341D3911D99BE9000C6E8F12EF.NASL", "href": "https://www.tenable.com/plugins/nessus/18867", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18867);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0938\", \"CVE-2004-0960\", \"CVE-2004-0961\");\n script_bugtraq_id(11222);\n script_xref(name:\"CERT\", value:\"541574\");\n\n script_name(english:\"FreeBSD : freeradius -- denial-of-service vulnerability (20dfd134-1d39-11d9-9be9-000c6e8f12ef)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A remote attacker may be able to crash the freeRADIUS Server due to\nthree independent bugs in the function which does improper checking\nvalues while processing RADIUS attributes.\"\n );\n # http://www.securitytracker.com/alerts/2004/Sep/1011364.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://securitytracker.com/id/1011364\"\n );\n # https://vuxml.freebsd.org/freebsd/20dfd134-1d39-11d9-9be9-000c6e8f12ef.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13fa3e44\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/09/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"freeradius>=0.8.0<1.0.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T10:51:51", "description": "The remote host is affected by the vulnerability described in GLSA-200409-29\n(FreeRADIUS: Multiple Denial of Service vulnerabilities)\n\n There are undisclosed defects in the way FreeRADIUS handles incorrect\n received packets.\n \nImpact :\n\n A remote attacker could send specially crafted packets to the\n FreeRADIUS server to deny service to other users by crashing the\n server.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "published": "2004-09-23T00:00:00", "title": "GLSA-200409-29 : FreeRADIUS: Multiple Denial of Service vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "modified": "2004-09-23T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:freeradius", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200409-29.NASL", "href": "https://www.tenable.com/plugins/nessus/14797", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200409-29.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14797);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0938\", \"CVE-2004-0960\", \"CVE-2004-0961\");\n script_xref(name:\"GLSA\", value:\"200409-29\");\n\n script_name(english:\"GLSA-200409-29 : FreeRADIUS: Multiple Denial of Service vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200409-29\n(FreeRADIUS: Multiple Denial of Service vulnerabilities)\n\n There are undisclosed defects in the way FreeRADIUS handles incorrect\n received packets.\n \nImpact :\n\n A remote attacker could send specially crafted packets to the\n FreeRADIUS server to deny service to other users by crashing the\n server.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n # http://www.freeradius.org/security.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://freeradius.org/security/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200409-29\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All FreeRADIUS users should upgrade to the latest version:\n # emerge sync\n # emerge -pv '>=net-dialup/freeradius-1.0.1'\n # emerge '>=net-dialup/freeradius-1.0.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-dialup/freeradius\", unaffected:make_list(\"ge 1.0.1\"), vulnerable:make_list(\"lt 1.0.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"FreeRADIUS\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:05:21", "description": "Updated freeradius packages that fix a number of denial of service\nvulnerabilities as well as minor bugs are now available for Red Hat\nEnterprise Linux 3.\n\nFreeRADIUS is a high-performance and highly configurable free RADIUS\nserver designed to allow centralized authentication and authorization\nfor a network.\n\nA number of flaws were found in FreeRADIUS versions prior to 1.0.1. An\nattacker who is able to send packets to the server could construct\ncarefully constructed packets in such a way as to cause the server to\nconsume memory or crash. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the names CVE-2004-0938,\nCVE-2004-0960, and CVE-2004-0961 to these issues.\n\nUsers of FreeRADIUS should update to these erratum packages that\ncontain FreeRADIUS 1.0.1, which is not vulnerable to these issues and\nalso corrects a number of bugs.", "edition": 27, "published": "2004-11-13T00:00:00", "title": "RHEL 3 : freeradius (RHSA-2004:609)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "modified": "2004-11-13T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "p-cpe:/a:redhat:enterprise_linux:freeradius"], "id": "REDHAT-RHSA-2004-609.NASL", "href": "https://www.tenable.com/plugins/nessus/15701", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:609. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15701);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-0938\", \"CVE-2004-0960\", \"CVE-2004-0961\");\n script_xref(name:\"RHSA\", value:\"2004:609\");\n\n script_name(english:\"RHEL 3 : freeradius (RHSA-2004:609)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated freeradius packages that fix a number of denial of service\nvulnerabilities as well as minor bugs are now available for Red Hat\nEnterprise Linux 3.\n\nFreeRADIUS is a high-performance and highly configurable free RADIUS\nserver designed to allow centralized authentication and authorization\nfor a network.\n\nA number of flaws were found in FreeRADIUS versions prior to 1.0.1. An\nattacker who is able to send packets to the server could construct\ncarefully constructed packets in such a way as to cause the server to\nconsume memory or crash. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the names CVE-2004-0938,\nCVE-2004-0960, and CVE-2004-0961 to these issues.\n\nUsers of FreeRADIUS should update to these erratum packages that\ncontain FreeRADIUS 1.0.1, which is not vulnerable to these issues and\nalso corrects a number of bugs.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0938\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0960\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0961\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:609\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected freeradius package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:freeradius\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/11/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/11/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:609\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"freeradius-1.0.1-1.RHEL3\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freeradius\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:10", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "description": "\nA remote attacker may be able to crash the freeRADIUS Server\n\t due to three independant bugs in the function which does\n\t improper checking values while processing RADIUS\n\t attributes.\n", "edition": 4, "modified": "2004-10-19T00:00:00", "published": "2004-09-20T00:00:00", "id": "20DFD134-1D39-11D9-9BE9-000C6E8F12EF", "href": "https://vuxml.freebsd.org/freebsd/20dfd134-1d39-11d9-9be9-000c6e8f12ef.html", "title": "freeradius -- denial-of-service vulnerability", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:34", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0961", "CVE-2004-0960", "CVE-2004-0938"], "edition": 1, "description": "### Background\n\nFreeRADIUS is an open source RADIUS authentication server implementation. \n\n### Description\n\nThere are undisclosed defects in the way FreeRADIUS handles incorrect received packets. \n\n### Impact\n\nA remote attacker could send specially-crafted packets to the FreeRADIUS server to deny service to other users by crashing the server. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll FreeRADIUS users should upgrade to the latest version: \n \n \n # emerge sync\n \n # emerge -pv \">=net-dialup/freeradius-1.0.1\"\n # emerge \">=net-dialup/freeradius-1.0.1\"", "modified": "2006-05-22T00:00:00", "published": "2004-09-22T00:00:00", "id": "GLSA-200409-29", "href": "https://security.gentoo.org/glsa/200409-29", "type": "gentoo", "title": "FreeRADIUS: Multiple Denial of Service vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:18:43", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0961", "CVE-2004-0918", "CVE-2004-0960", "CVE-2004-0888", "CVE-2004-0889", "CVE-2004-0938"], "description": "Xpdf is a widely used fast PDF file viewer. Various other PDF viewer and PDF conversion tools use xpdf code to accomplish their tasks. Chris Evans found several integer overflows and arithmetic errors. Additionally Sebastian Krahmer from the SuSE Security-Team found similar bugs in xpdf 3. These bugs can be exploited by tricking an user to open a malformated PDF file. As a result the PDF viewer can be crashed or may be even code can be executed.\n#### Solution\nDue to the wide usage of xpdf-based code we do not recommend switching to another PDF viewer as a workaround. You have to install the updates.", "edition": 1, "modified": "2004-10-26T10:45:14", "published": "2004-10-26T10:45:14", "id": "SUSE-SA:2004:039", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-10/msg00009.html", "type": "suse", "title": "remote system compromise in xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:47:01", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0929", "CVE-2004-0961", "CVE-2004-0804", "CVE-2004-0803", "CVE-2004-0960", "CVE-2004-0888", "CVE-2004-0889", "CVE-2004-0938", "CVE-2004-0886"], "description": "libtiff is used by image viewers and web browser to view \"TIFF\" images. These usually open and display those images without querying the user, making a normal system by default vulnerable to exploits of image library bugs.\n#### Solution\nThere is no workaround. Update the libtiff packages.", "edition": 1, "modified": "2004-10-22T14:52:41", "published": "2004-10-22T14:52:41", "id": "SUSE-SA:2004:038", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-10/msg00008.html", "title": "local privilege escalation in libtiff", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:43:38", "bulletinFamily": "info", "cvelist": ["CVE-2004-0938"], "description": "### Overview \n\nMultiple vulnerabilities in freeRADIUS Server may allow attackers to cause a denial-of-service condition.\n\n### Description \n\nThe Remote Authentication Dial In User Service ([RADIUS) ](<http://www.ietf.org/rfc/rfc2865.txt>)protocol is used for remote user authentication and accounting. freeRADIUS Server is an popular open-source RADIUS server. \n\nAccording to freeRADIUS, three independent bugs in freeRADIUS Server versions 0.8.0 to 1.0.0 inclusive, may cause a denial-of-service condition. \n \nAccording to Alan T. DeKok from the freeRADIUS project these vulnerabilities are the result of: \n\n\n * _The function which decodes RADIUS attributes into data structures did not properly check for malformed USR vendor-specific attributes. As a result, when the server received any packet containing a malformed USR VSA, it could be convinced to call \"memcpy\" with a length value of \"-1\", which memcpy would interpret as 0xffffffff. The resulting infinite copy would cause the server to core dump._\n * _The function which decodes RADIUS attributes into data structures did not properly check for certain pre-conditions before decoding Ascend-Send-Secret and Ascend-Recv-Secret attributes. As result, when the server received an Access-Request or Accounting-Request packet containing an Ascend-Send-Secret or Ascend-Recv-Secret attribute, it could be convinced to call a function to decode the contents of the attribute, with a NULL pointer, where that function expected a pointer to a valid data structure. That function would de-reference the NULL pointer, and cause the server to core dump._\n * _The function which decodes RADIUS attributes into data structures did not properly clean up after itself if the Ascend-Send-Secret, Ascend-Recv-Secret, or Tunnel-Password attributes were received in an Access-Request packet. As a result, a previously allocated data structure was not freed, and the server would leak a data structure of approximately 300 bytes for every Access-Request packet it received which contained those RADIUS attributes. If sufficient packets matching that criteria were received, the server process would run out of memory, and would be killed by the OS._ \n--- \n \n### Impact \n\nA remote attacker may be able to crash the freeRADIUS Server causing a denial-of-service condition. \n \n--- \n \n### Solution \n\n**Upgrade freeRADIUS** \nThese vulnerabilities were corrected in freeRADIUS Server version 1.0.1. \n \n--- \n \n**Limit Access to freeRADIUS**\n\n \nTo reduce the impact of exploitation, access to freeRADIUS services should restricted to only trusted hosts on necessary ports (1812 UDP for Authentication and 1813 UDP for Accounting). \n \n--- \n \n### Vendor Information\n\n541574\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Debian __ Affected\n\nNotified: October 05, 2004 Updated: October 18, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nDebian stable is not vulnerable to this issue since it doesn't contain a freeradius package. The current testing and unstable distributions are vulnerable. The fixed freeradius package has version 1.0.1-1 and will migrate into testing soon.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### FreeRADIUS __ Affected\n\nNotified: September 28, 2004 Updated: September 29, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAccording to freeRadius:\n\n \n_We have released version 1.0.1 to address these vulnerabilities. We strongly suggest that users of all previous versions of the server upgrade to 1.0.1._\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Apple Computer Inc. __ Not Affected\n\nNotified: October 05, 2004 Updated: February 01, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nMac OS X and Mac OS X Server do not contain the software described in this vulnerability note.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Chiaro Networks __ Not Affected\n\nNotified: October 05, 2004 Updated: October 07, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nThe Enstara platform does not implement a RADIUS server in the product. It is not susceptible to VU#541574.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Foundry Networks Inc. __ Not Affected\n\nNotified: October 05, 2004 Updated: October 06, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nFoundry switches and routers are not vulnerable.\n\nFoundry does not utilize the freeRADIUS software in any of its product offerings. \n \nFoundry does recommend that any customer using the freeRADIUS server should upgrade their freeRADIUS software. Servers that are not upgraded run the risk of being successfully attacked using this vulnerability, causing the device to crash and lose network connectivity. Devices using the IEEE 802.1x authentication mechanism would not be authenticated when the RADIUS server is down and would not be allowed access to the network.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Hitachi __ Not Affected\n\nNotified: October 05, 2004 Updated: October 08, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nHitachi's Products is NOT Vulnerable to this issue.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Intoto __ Not Affected\n\nNotified: October 05, 2004 Updated: October 14, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nIntoto products are not vulnerable to the DoS attack documented in this vulnerability note, as freeRADIUS server software is not part of any of Intoto products.\n\nHowever, customers may be using freeRADIUS server for XAUTH and WAN user authentication purposes with Intoto products. We strongly recommend users to patch their server from authentic sources. Otherwise, they carry risk of service outages.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Stonesoft __ Not Affected\n\nNotified: October 05, 2004 Updated: October 07, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nStonesoft does not use freeRADIUS server in any of its product offerings and, therefore, they are not vulnerable.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### 3Com Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### AT&amp;T Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Alcatel Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Avaya Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Avici Systems Inc. Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### BSDI Unknown\n\nNotified: October 05, 2004 Updated: October 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Borderware Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Check Point Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Cisco Systems Inc. Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Clavister __ Unknown\n\nNotified: October 05, 2004 Updated: October 07, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nClavister: Not vulnerable\n\nClavister does not integrate freeRADIUS in any of its products. Additionaly, configuring Clavister Firewall to use a freeRADIUS server for AAA does not open up additional attack venues, since none of the affected vendor-specific attributes are used. \n \nClavister generally recommends that RADIUS servers be placed in a separate network segment where third parties cannot interfere with traffic between access gateways and the RADIUS server.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Computer Associates Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Connectiva Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### CovErt Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Cray Inc. Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Cwnt Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### D-Link Systems Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Data Connection Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### EMC Corporation Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Engarde Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Extreme Networks Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### F5 Networks Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Fortinet Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### FreeBSD Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Fujitsu Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### GTA Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Hewlett-Packard Company Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Hyperchip Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### IBM Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### IBM eServer Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### IBM-zSeries Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### IP Filter Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Immunix Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Ingrian Networks Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Intel Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Juniper Networks Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Lachman Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Linksys Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Lucent Technologies Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Luminous Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### MandrakeSoft Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Microsoft Corporation Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### MontaVista Software Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Multi-Tech Systems Inc. Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Multinet Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### NEC Corporation Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### NETBSD Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### NETfilter Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### NetScreen Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Network Appliance Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### NextHop Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Nokia Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Nortel Networks Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Novell Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### OpenBSD Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Red Hat Inc. Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Redback Networks Inc. Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Riverstone Networks Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### SCO Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### SCO Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### SGI Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Secure Computing Corporation Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### SecureWorks Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Sequent Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Sony Corporation Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### SuSE Inc. Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Sun Microsystems Inc. Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Symantec Corporation Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### TurboLinux Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Unisys Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### WatchGuard Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### Wind River Systems Inc. Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### ZyXEL Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\n### eSoft Unknown\n\nNotified: October 05, 2004 Updated: October 05, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23541574 Feedback>).\n\nView all 82 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://secunia.com/advisories/12570/>\n * <http://www.securitytracker.com/alerts/2004/Sep/1011364.html>\n * <http://www.freeradius.org/security.html>\n\n### Acknowledgements\n\nThis vulnerability was publicly repoted by Secunia Security Advisories.We thank Alan T. DeKok of freeRADIUS for providing information regarding this vulnerability.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0938](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0938>) \n---|--- \n**Severity Metric:** | 2.84 \n**Date Public:** | 2004-09-20 \n**Date First Published:** | 2004-10-06 \n**Date Last Updated: ** | 2005-02-01 20:39 UTC \n**Document Revision: ** | 129 \n", "modified": "2005-02-01T20:39:00", "published": "2004-10-06T00:00:00", "id": "VU:541574", "href": "https://www.kb.cert.org/vuls/id/541574", "type": "cert", "title": "freeRADIUS Server vulnerable to a denial-of-service attack", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}