CERT Warns of Flaws In RADIUS Implementations

Flaws in a number of implementations of the Remote Authentication Dial In User Service (RADIUS) protocol could allow denial of
service attacks and possibly the execution of arbitrary code on vulnerable machines, the Computer Emergency Response Team
Coordination Center (CERT/CC) warned Tuesday.

Both of the vulnerabilities CERT reported are remotely executable, but the first of the two — a digest calculation buffer
overflow — is more serious, as it could conceivably allow an attacker to execute code on vulnerable machines.

CERT said that during message digest calculation, a string containing a shared secret is concatenated with a packet received without
checking the size of the buffer. This makes it possible for an attacker to overflow the buffer with shared secret data, leading to a
denial of service attack. However, if the attacker knows the shared secret — generally an extremely difficult bit of information to
uncover — the hacker could use the information to execute arbitrary code with the privileges of the victim RADIUS server or client,
usually root.

RADIUS implementations vulnerable to this flaw include:

  • Ascend RADIUS versions 1.16 and prior
  • Cistron RADIUS versions 1.6.4 and prior
  • FreeRADIUS versions 0.3 and prior
  • GnuRADIUS versions 0.95 and prior
  • ICRADIUS versions 0.18.1 and prior
  • Livingston RADIUS versions 2.1 and prior
  • RADIUS (commonly known as Lucent RADIUS) versions 2.1 and prior
  • RADIUSClient versions 0.3.1 and prior
  • YARD RADIUS versions 1.0.19 and prior
  • XTRADIUS versions 1.1-pre1 and prior.

There are also a number of RADIUS implementations which do not adequately validate the vendor-length of vendor-specific attributes,
CERT said. Using a malformed vendor-specific attribute, an attacker could use this flaw to cause a denial of service attack against
RADIUS servers.

Implementations vulnerable to this flaw include:

  • Cistron RADIUS versions 1.6.5 and prior
  • FreeRADIUS versions 0.3 and prior
  • ICRADIUS versions 0.18.1 and prior
  • Livingston RADIUS versions 2.1 and prior
  • YARD RADIUS 1.0.19 and prior
  • XTRADIUS 1.1-pre1 and prior.

CERT suggested that all users of vulnerable RADIUS implementations apply a patch or upgrade to the versions specified by their
vendors. CERT also suggested blocking packets to the RADIUS server at the firewall and limiting access to the RADIUS server to those
addresses which are approved to authenticate to the RADIUS server.

News Around the Web