TUCoPS :: Unix :: General :: ca200206.txt

CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the RADIUS Protocol

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the 
                         RADIUS Protocol

   Original release date: March 4, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Systems running any of the following RADIUS implementations:

     * Ascend RADIUS versions 1.16 and prior
     * Cistron RADIUS versions 1.6.5 and prior
     * FreeRADIUS versions 0.3 and prior
     * GnuRADIUS versions 0.95 and prior
     * ICRADIUS versions 0.18.1 and prior
     * Livingston RADIUS versions 2.1 and earlier
     * RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior
     * RADIUSClient versions 0.3.1 and prior
     * XTRADIUS 1.1-pre1 and prior
     * YARD RADIUS 1.0.19 and prior

Overview

   Remote  Authentication  Dial In User Service (RADIUS) servers are used
   for  authentication,  authorization  and accounting for terminals that
   speak   the   RADIUS  protocol.  Multiple  vulnerabilities  have  been
   discovered in several implementations of the RADIUS protocol.

I. Description

   Two  vulnerabilities  in various implementations of RADIUS clients and
   servers  have  been  reported to several vendors and the CERT/CC. They
   are  remotely  exploitable,  and on most systems result in a denial of
   service. VU#589523 may allow the execution of code if the attacker has
   knowledge of the shared secret.

   VU#589523  - Multiple implementations of the RADIUS protocol contain a
   digest calculation buffer overflow 

     Multiple  implementations  of  the RADIUS protocol contain a buffer
     overflow in the function that calculates message digests.

     During  the  message  digest  calculation,  a string containing the
     shared  secret  is  concatenated  with  a  packet  received without
     checking  the  size of the target buffer. This makes it possible to
     overflow  the  buffer  with  shared secret data. This can lead to a
     denial of service against the server. If the shared secret is known
     by the attacker, then it may be possible to use this information to
     execute  arbitrary  code  with  the privileges of the victim RADIUS
     server  or  client,  usually  root. It should be noted that gaining
     knowledge of the shared secret is not a trivial task.

     Systems Affected by VU#589523

     * Ascend RADIUS versions 1.16 and prior
     * Cistron RADIUS versions 1.6.4 and prior
     * FreeRADIUS versions 0.3 and prior
     * GnuRADIUS versions 0.95 and prior
     * ICRADIUS versions 0.18.1 and prior
     * Livingston RADIUS versions 2.1 and earlier
     * RADIUS (commonly known as Lucent RADIUS) versions 2.1 and prior
     * RADIUSClient versions 0.3.1 and prior
     * YARD RADIUS 1.0.19 and prior
     * XTRADIUS 1.1-pre1 and prior

   VU#936683  -  Multiple  implementations  of the RADIUS protocol do not
   adequately validate the vendor-length of vendor-specific attributes. 

     Various   RADIUS   servers   and  clients  permit  the  passing  of
     vendor-specific     and     user-specific    attributes.    Several
     implementations  of  RADIUS  fail  to  check  the  vendor-length of
     vendor-specific  attributes.  It  is  possible to cause a denial of
     service  against  RADIUS  servers  with a malformed vendor-specific
     attribute.

     RADIUS  servers  and  clients  fail  to  validate the vendor-length
     inside  vendor-specific  attributes. The vendor-length shouldn't be
     less than 2. If vendor-length is less than 2, the RADIUS server (or
     client)  calculates  the attribute length as a negative number. The
     attribute  length is then used in various functions. In most RADIUS
     servers  the  function that performs this calculation is rad_recv()
     or  radrecv(). Some applications may use the same logic to validate
     user-specific attributes and be vulnerable via the same method.

     Systems Affected by VU#936683

     * Cistron RADIUS versions 1.6.5 and prior
     * FreeRADIUS versions 0.3 and prior
     * ICRADIUS versions 0.18.1 and prior
     * Livingston RADIUS versions 2.1 and earlier
     * YARD RADIUS 1.0.19 and prior
     * XTRADIUS 1.1-pre1 and prior

II. Impact

   Both  of  the  vulnerabilities allow an attacker can cause a denial of
   service of the RADIUS server. On some systems, VU#589523 may allow the
   execution of code if the attacker has knowledge of the shared secret.

III. Solution

   Apply a patch, or upgrade to the version specified by your vendor.
   Block packets to the RADIUS server at the firewall

   Limit  access  to  the  RADIUS  server  to  those  addresses which are
   approved to authenticate to the RADIUS server. Note that this does not
   protect your server from attacks originating from these addresses.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  When  vendors  report  new  information  to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

 Apple

     Mac  OS X and Mac OS X Server -- Not vulnerable since RADIUS is not
     shipped with those products.

 Cisco

     Cisco  Systems  has  reviewed the following products that implement
     RADIUS  with regards to this vulnerability, and has determined that
     the  following  are  NOT vulnerable to this issue; Cisco IOS, Cisco
     Catalyst OS, Cisco Secure PIX firewall, Cisco Secure Access Control
     System  for  Windows,  Cisco  Aironet,  Cisco Access Registrar, and
     Cisco Resource Pooling Management Service. At this time, we are not
     aware  of  any  Cisco  products  that  are vulnerable to the issues
     discussed in this report.

 Cistron 

     You state 2 vulnerabilities:
    1. Digest Calculation Buffer Overflow Vulnerability Cistron Radius up
       to and including 1.6.4 is vulnerable
    2. Invalid  attribute length calculation on malformed Vendor-Specific
       attr. Cistron Radius up to and including 1.6.5 is vulnerable

     Today  I  have  released  version  1.6.6, which also fixes (2). The
     homepage  is  http://www.radius.cistron.nl/  on  which you can also
     find   the   ChangeLog.   An  announcement  to  the  cistron-radius
     mailinglist was also made today.

     So everybody should upgrade to 1.6.6.

 FreeBSD 

     FreeBSD  versions  prior to 4.5-RELEASE (which is shipping today or
     tomorrow  or  so)  do contain some of the RADIUS packages mentioned
     below:  radiusd-cistron,  freeradius,  ascend-radius, icradius, and
     radiusclient.  However, 4.5-RELEASE will not ship with any of these
     RADIUS   packages,   except   radiusclient.  Also,  note  that  the
     information  you [CERT/CC] have forwarded previously indicates that
     neither   Merit   RADIUS   (radius-basic)   nor   radiusclient  are
     vulnerable.

 Fujitsu 

     Fujitsu's  UXP/V  operating  system is not vulnerable because UXP/V
     does not support the Radius functionality.

 GnuRADIUS 

     The bug was fixed in version 0.96.

 Hewlett-Packard 

     We have tested our Version of RADIUS, and we are NOT vulnerable.

 IBM 

     IBM's  AIX  operating system, all versions, is not vulnerable as we
     do not ship the RADIUS project with AIX.

 Juniper Networks 

     Juniper  products  have  been  tested  and are not affected by this
     vulnerability.

 Lucent Technologies, Inc.

     Lucent and Ascend "Free" RADIUS server Product Status
     
     Reiteration of product End of Life
     February 14, 2002
     
     The  purpose  of  this  announcement is to make official the end of
     life of products based on the Livingston Enterprises RADIUS server,
     and to reiterate the terms of the original license.
     
     Prior to the Lucent Technologies acquisition of Ascend Communications
     and Livingston Enterprises, both companies distributed RADIUS servers
     at no cost to their customers. The initial Livingston server was   
     RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server
     was based on the Livingston 1.16 product with the most recent version
     being released in June 1998.  Lucent Technologies no longer
     distributes these products, does not provide any support services for
     these products, and has not done so for some time.
     
     All of these products were distributed as-is without warranty,
     under the BSD "Open Source" license with the following terms:
     
     This software is provided by the copyright holders and contributors
     ``as is'' and any express or implied warranties, including, but not
     limited to, the implied warranties of merchantability and fitness for
     a particular purpose are disclaimed. In no event shall the copyright
     holder or contributors be liable for any direct, indirect,
     incidental, special, exemplary, or consequential damages (including,
     but not limited to, procurement of substitute goods or services;
     loss of use, data, or profits; or business interruption) however
     caused and on any theory of liability, whether in contract, strict
     liability, or tort (including negligence or otherwise) arising in any
     way out of the use of this software, even if advised of the
     possibility of such damage.
     
     Redistribution and use in source and binary forms, with or without
     modification, are permitted provided that the following conditions
     are met:
     
     *  Redistributions  of  source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.
     
     * Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the  
     documentation   and/or  other  materials  provided  with  the
     distribution.
     
     *  All  advertising  materials  mentioning  features or use of this
     software must display the following acknowledgement:
     This product includes software developed by Lucent Technologies and
     its contributors.
     
     *  Neither  the  name  of the copyright holder nor the names of its 
     contributors  may  be  used  to endorse or promote products derived
     from this software without specific prior written permission.

     Under  this  license, other parties are free to develop and release
     other products and versions. However, as noted in the license terns,
     Lucent Technologies can not and does not assume any responsibility   
     for any releases, present or future, based on these products.
     
     Replacement Product
     
     The  replacement product is NavisRadius 4.x. NavisRadius is a fully
     supported  commercial  product  currently  available  from  Lucent
     Technologies.  Please  visit  the  NavisRadius  product web site at
     http://www.lucentradius.com  for  product  information  and  free  
     evaluation copies.
     
     Richard Perlman
     NavisRadius Product Management
     Network Operations Software
     perl@lucent.com
     +1 510-747-5650
     


 Microsoft 

     We've  completed  our  investigation  into  this issue based on the
     information  provided  and  have  determined  that  no  version  of
     Microsoft IAS is susceptible to either vulnerability.

 NetBSD 

     Some  of  the  affected  radius  daemons  are available from NetBSD
     pkgsrc.  It  is  highly  advisable  that  you  update to the latest
     versions     available     from     pkgsrc.    Also    note    that
     pkgsrc/security/audit-packages  can  be used to notify you when new
     pkgsrc related security issues are announced.

 Process Software 

     MultiNet and TCPware do not provide a RADIUS implementation.

 RADIUS (previously known as Lucent RADIUS) 

     I wish to advise that Lucent Radius 2.1 is vulnerable to VU#589523,
     but is not vulnerable to VU#936683.

     I  have  made  an  unofficial  patch  to  this code to resolve this
     problem.  It will be released in ftp://ftp.vergenet.net/pub/radius/
     where previous patches to Radius by myself are available.

 RADIUSClient 

     I've  just  uploaded  version  0.3.2 of the radiusclient library to
     ftp://ftp.cityline.net/pub/radiusclient/radiusclient-0.3.2.tar.gz
     which contains a fix for the reported buffer overflow.

 Red Hat 

     We  do  not  ship  any  radius  software as part of any of our main
     operating   system.   However,  Cistron  RADIUS  was  part  of  our
     PowerTools  add-on  software CD from versions 5.2 through 7.1. Thus
     while  not installed by default, some users of Red Hat Linux may be
     using  Cistron  RADIUSD.  Errata packages that fix this problem and
     our  advisory  will be available shortly on our web site at the URL
     below.  At  the same time users of the Red Hat Network will be able
     to update their systems to patched versions using the up2date tool.

     http://www.redhat.com/support/errata/RHSA-2002-030.html

 SCO 

     The  Caldera NON-Linux operating systems: OpenServer, UnixWare, and
     Open UNIX, do not ship Radius servers or clients.

 SGI 

     SGI  does  not  ship  with a RADIUS server or client, so we are not
     vulnerable to these issues.

 Wind River Systems 

     The  current RADIUS client product from Wind River Systems, WindNet
     RADIUS  1.1,  is  not susceptible to VU#936683 and VU#589523 in our
     internal testing.

     VU#936683  -  WindNet  RADIUS  will  pass  the  packet  up  to  the
     application.  The  application  may need to be aware of the invalid
     attribute length.

     VU#589523 - WindNet RADIUS will drop the packet overflow.

     Please  contact Wind River support at support@windriver.com or call
     (800)  458-7767  with  any  test  reports  related to VU#936683 and
     VU#589523.

 XTRADIUS 

     We  are trying to relase a new and fixed version of xtradius by the
     end  of the month (version 1.2.1).. Right now the new version is on
     the CVS and we are testing it...

 YARD RADIUS 

     Current  version 1.0.19 of Yardradius (which is derived from Lucent
     2.1)  seems  suffering  both the problems. I think I will release a
     new  version  (1.0.20)  which  solves those buffer overflows before
     your suggested date [3/4/2002].
   _________________________________________________________________

   Our thanks to 3APA3A <3APA3A@security.nnov.ru> and Joshua Hill and for
   their cooperation, reporting and analysis of this vulnerability.
   _________________________________________________________________

   Feedback  about  this  Advisory  can  be  sent to the author, 
   Jason A. Rafail.
   _________________________________________________________________

Appendix B. - References

    1. http://www.kb.cert.org/vuls/id/589523
    2. http://www.kb.cert.org/vuls/id/936683
    3. http://www.security.nnov.ru/advisories/radius.asp
    4. http://www.untruth.org/~josh/security/radius 
    5. http://www.securityfocus.com/bid/3530
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2002-06.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

    Getting security information

   CERT  publications  and  other security information are available from
   our web site

   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
March 04, 2002:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPIPKVaCVPMXQI2HJAQFfUwQAq41ely7YkhdKYYM+YdjyGPpbMMqzi8Cb
7mEOX8HByLfVQL4e5wnrJOrIhRvX2jCvDMC6KCfPBR8VQ9DZz6hmj1XqUX6TH1EN
T+9SnRCSxuRs8NtkBEWAYrHletfQ02C3v6As85Lqxl7nbYmXt3QrF88T+WNpv3r7
AD7ZeRPeYdI=
=wtUX
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH