search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of the vendor-specific attributes

Vulnerability Note VU#936683

Original Release Date: 2002-03-04 | Last Revised: 2002-04-16

Overview

Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the Vendor-Length of the Vendor-Specific attribute. It's possible to cause a denial of service against RADIUS servers with a malformed Vendor-Specific attribute.

Description

RADIUS servers and clients fail to validate the Vendor-Length inside Vendor-Specific attributes. The Vendor-Length shouldn't be less than 2. If Vendor-Length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. For example, YARDRadius contains this vulnerability in the handling of the User-Specific attributes only.

Impact

It is possible to cause a denial of service against the RADIUS server with a malformed Vendor-Specific attribute. Though unlikely, if a RADIUS client processes the Vendor-Specific attribute contained in a server response, then the client may also be vulnerable.

Solution

Apply a patch or upgrade to the version specified by your vendor.

Vendor Information

936683
 

Cistron Affected

Notified:  January 30, 2002 Updated: February 19, 2002

Status

Affected

Vendor Statement

Cistron Radius up to and including 1.6.5 is vulnerable. Today [2/6/02] I have released version 1.6.6, which also fixes (VU#589523). The homepage is http://www.radius.cistron.nl/ on which you can also find the ChangeLog. An announcement to the cistron-radius mailinglist was also made today.

So everybody should upgrade to 1.6.6.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Affected

Updated:  March 07, 2002

Status

Affected

Vendor Statement

See, http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000466

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Affected

Notified:  January 04, 2002 Updated: February 19, 2002

Status

Affected

Vendor Statement

FreeBSD versions prior to 4.5-RELEASE (which is shipping today or tomorrow or so) do contain some of the RADIUS packages mentioned below: radiusd-cistron, freeradius, ascend-radius, icradius, and radiusclient.

However, 4.5-RELEASE will not ship with any of these RADIUS packages, except radiusclient. Also, note that the information you [CERT/CC] have forwarded previously indicates that neither Merit RADIUS (radius-basic) nor radiusclient are vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeRADIUS Affected

Notified:  February 26, 2002 Updated: February 27, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This vulnerability is reported as fixed in FreeRADIUS Version 0.4

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GnuRADIUS Affected

Updated:  February 20, 2002

Status

Affected

Vendor Statement

The bug was fixed in version 0.96.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ICRADIUS Affected

Notified:  January 30, 2002 Updated: February 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Affected

Notified:  January 30, 2002 Updated: March 05, 2002

Status

Affected

Vendor Statement

Lucent and Ascend "Free" RADIUS server Product Status

Prior to the Lucent Technologies acquisition of Ascend Communications and Livingston Enterprises, both companies distributed RADIUS servers at no cost to their customers. The initial Livingston server was RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server was based on the Livingston 1.16 product with the most recent version being released in June 1998. Lucent Technologies no longer distributes these products, and does not provide any support services for these products.

Both of these products were distributed as-is without warranty, under the BSD "Open Source" license. Under this license, other parties are free to develop and release other products and versions. However, as noted in the license terms, Lucent Technologies can not and does not assume any responsibility for any releases, present or future, based on these products.

Product Patches

Patches designed to specifically address the problems outlined in the CERT bulletins VU#936683 VU#589523 have been made available to the public by Simon Horman . For more information visit ftp://ftp.vergenet.net/pub/radius

Replacement Product

The Lucent Technologies replacement product is NavisRadius 4.x. NavisRadius is a fully supported commercial product. Visit the product web site at http://www.lucentradius.com for more information.

Richard Perlman
NavisRadius Product Management
Network Operations Software
perl@lucent.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please note that Lucent purchased both Livingston and Ascend. NavisRadius 4.x is reported as not vulnerable to this vulnerablility.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NETBSD Affected

Notified:  January 04, 2002 Updated: February 20, 2002

Status

Affected

Vendor Statement

Some of the affected radius daemons are available from NetBSD pkgsrc. It is highly advisable that you update to the latest versions available from pkgsrc. Also note that pkgsrc/security/audit-packages can be used to notify you when new pkgsrc related security issues are announced.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nbase Affected

Notified:  March 05, 2002 Updated: April 12, 2002

Status

Affected

Vendor Statement

Novell's RADIUS server (Border Manager) is only vulnerable to administrator-installed shared secrets and VSAs. We are assessing this vulnerability in more detail.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Open System Consultants Affected

Updated:  March 12, 2002

Status

Affected

Vendor Statement

The current version of Radiator (2.19) is not vulnerable to either of the vulnerabilites reported. No version has ever been vulnerable to VU#589523, and it has not been vulnerable to VU#936683 since version 2.6 (released on 5/4/1998)

More information in our press release at

http://www.open.com.au/press.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Affected

Notified:  January 04, 2002 Updated: February 20, 2002

Status

Affected

Vendor Statement

We do not ship Cistron radiusd as part of any of our main operating systems. However it was part of our PowerTools add-on software CD from versions 5.2 through 7.1. Thus while not installed by default, some users of Red Hat Linux may be using cistron radiusd, and we will be coordinating a fix.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Corporation Affected

Updated:  April 16, 2002

Status

Affected

Vendor Statement

Secure Computing has provided updated RADIUS daemons for the following SafeWord systems running on Solaris: SafeWord v5.2, and SafeWord PremierAccess v3.0. The new updated daemon addresses the following vulnerabilities as was reported in the CERT Advisory CA-2002-06:

VU#589523

Previously, the radiusd daemon contained a buffer overflow in the function that calculates message digest, and the daemon would crash when a secret key of more than 108
characters was entered in the clients file. The new version will now display the following radius debug message when such a key exists:

    "ERROR! Calc_digest: Bad secret key in clients file. Length is too long."

The daemon will remain running.

VU#936683

Previously, the radiusd daemon would crash when malformed RADIUS packets that included Vendor Specific Attributes of lengths of less than 2 bytes. This version will now display the following radius debug message in this situation:
    "Invalid attribute. Invalid length for attribute 26."

The daemon will remain running.

To obtain the new updated RADIUS daemon, please contact Secure Computing Technical support at 1-800-700-8328

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

XTRADIUS Affected

Notified:  January 30, 2002 Updated: February 20, 2002

Status

Affected

Vendor Statement

We are trying to relase a new and fixed version of xtradius by the end of the month (version 1.2.1).. Right now the new version is on the CVS and we are testing it...

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

YARD RADIUS Affected

Notified:  January 30, 2002 Updated: February 20, 2002

Status

Affected

Vendor Statement

Current version 1.0.19 of Yardradius (which is derived from Lucent 2.1) seems suffering both the problems. I think I will release a new version (1.0.20) which solves those buffer overflows before your suggested date [3/4/2002].

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel Not Affected

Updated:  April 02, 2002

Status

Not Affected

Vendor Statement

Following the recent CERT advisory on security vulnerabilities in various RADIUS implementations, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that the following products are not affected: Omni Switch/Routers, 713x VPN Gateways, A5735 SMC, A5020 SoftSwitch and GGSN. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential RADIUS security vulnerabilities and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Not Affected

Notified:  January 03, 2002 Updated: February 19, 2002

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server -- Not vulnerable since RADIUS is not shipped with those products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Athena Online Not Affected

Updated:  March 12, 2002

Status

Not Affected

Vendor Statement

It is our pleasure to report that Athena Online's Radicate RADIUS server is not vulnerable to CERT RADIUS VU#936683 and VU#589523 in our internal testing.

Radicate has been written from the ground up following the RFCs, using no previously existing code. Security issues such as buffer overflows have been identified and taken care of at each and every state of development to prevent any denial of service or execution of foreign code.

Radicate runs on a variety of platforms, including (but not limited to) Mac OS X, Mac OS X Server, Mac OS 9, Solaris, Linux and Win32.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Not Affected

Notified:  January 04, 2002 Updated: March 04, 2002

Status

Not Affected

Vendor Statement

Cisco Systems has reviewed the following products that implement RADIUS with regards to this vulnerability, and has determined that the following are NOT vulnerable to this issue; Cisco IOS, Cisco Catalyst OS, Cisco Secure PIX firewall, Cisco Secure Access Control System for Windows, Cisco Aironet, Cisco Access Registrar, and Cisco Resource Pooling Management Service. At this time, we are not aware of any Cisco products that are vulnerable to the issues discussed in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Not Affected

Notified:  January 04, 2002 Updated: February 20, 2002

Status

Not Affected

Vendor Statement

Fujitsu's UXP/V operating system is not vulnerable because UXP/V does not support the Radius functionality.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Funk Software Not Affected

Notified:  March 05, 2002 Updated: March 28, 2002

Status

Not Affected

Vendor Statement

See http://www.funk.com/News&Events/CERT_resp.asp

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard Not Affected

Notified:  January 03, 2002 Updated: February 20, 2002

Status

Not Affected

Vendor Statement

We have tested our Version of RADIUS, and we are NOT vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Not Affected

Notified:  January 03, 2002 Updated: February 20, 2002

Status

Not Affected

Vendor Statement

IBM's AIX operating system, all versions, is not vulnerable as we do not ship the RADIUS project with AIX.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Interlink Networks Not Affected

Notified:  January 30, 2002 Updated: March 18, 2002

Status

Not Affected

Vendor Statement

Interlink Networks has inspected and tested all released versions of its RADIUS server for susceptibility to the issues described in VU#936683 and VU#589523. NONE of Interlink Networks products are susceptible to the vulnerabilities outlined in the advisory.

Interlink Networks also inspected and tested Merit RADIUS server version 3.6B2 and found that it is NOT vulnerable to the reported issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Note that Interlink Networks handles the Merit AAA Server.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks Not Affected

Notified:  January 04, 2002 Updated: February 20, 2002

Status

Not Affected

Vendor Statement

Juniper products have been tested and are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Not Affected

Notified:  January 04, 2002 Updated: February 20, 2002

Status

Not Affected

Vendor Statement

We've completed our investigation into this issue based on the information provided and have determined that no version of Microsoft IAS is susceptible to either vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Process Software Not Affected

Notified:  January 04, 2002 Updated: February 20, 2002

Status

Not Affected

Vendor Statement

MultiNet and TCPware do not provide a RADIUS implementation.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RADIUS Not Affected

Notified:  February 18, 2002 Updated: March 04, 2002

Status

Not Affected

Vendor Statement

I wish to advise that Lucent Radius 2.1 is vulnerable to VU#589523, but is not vulnerable to VU#936683.

I have made an unofficial patch to this code to resolve this problem. It will be released in ftp://ftp.vergenet.net/pub/radius/ where previous patches to Radius by myself are available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RADIUSClient Not Affected

Notified:  January 30, 2002 Updated: February 20, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO Not Affected

Notified:  January 03, 2002 Updated: February 19, 2002

Status

Not Affected

Vendor Statement

The Caldera NON-Linux operating systems: OpenServer, UnixWare, and Open UNIX, do not ship Radius servers or clients.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Not Affected

Notified:  January 03, 2002 Updated: February 20, 2002

Status

Not Affected

Vendor Statement

SGI does not ship with a RADIUS server or client, so we are not vulnerable to these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Vircom Not Affected

Updated:  April 02, 2002

Status

Not Affected

Vendor Statement

See http://www.vircom.com/solutions/vopradius/certadvisoryca200206.htm

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Not Affected

Notified:  January 04, 2002 Updated: March 04, 2002

Status

Not Affected

Vendor Statement

The current RADIUS client product from Wind River Systems, WindNet RADIUS 1.1, is not susceptible to VU#936683 and VU#589523 in our internal testing.

VU#936683 - WindNet RADIUS will pass the packet up to the application. The application may need to be aware of the invalid attribute length.

VU#589523 - WindNet RADIUS will drop the packet overflow.

Please contact Wind River support at support@windriver.com or call (800) 458-7767 with any test reports related to VU#936683 and VU#589523.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 32 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Our thanks to 3APA3A <3APA3A@SECURITY.NNOV.RU> for the report and analysis of this vulnerability.

This document was written by Jason Rafail and is based on information provided by 3APA3A.

Other Information

CVE IDs: CVE-2001-1377
CERT Advisory: CA-2002-06
Severity Metric: 1.77
Date Public: 2001-11-29
Date First Published: 2002-03-04
Date Last Updated: 2002-04-16 18:58 UTC
Document Revision: 18

Sponsored by CISA.