-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the RADIUS Protocol Original release date: March 4, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems running any of the following RADIUS implementations: * Ascend RADIUS versions 1.16 and prior * Cistron RADIUS versions 1.6.5 and prior * FreeRADIUS versions 0.3 and prior * GnuRADIUS versions 0.95 and prior * ICRADIUS versions 0.18.1 and prior * Livingston RADIUS versions 2.1 and earlier * RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior * RADIUSClient versions 0.3.1 and prior * XTRADIUS 1.1-pre1 and prior * YARD RADIUS 1.0.19 and prior Overview Remote Authentication Dial In User Service (RADIUS) servers are used for authentication, authorization and accounting for terminals that speak the RADIUS protocol. Multiple vulnerabilities have been discovered in several implementations of the RADIUS protocol. I. Description Two vulnerabilities in various implementations of RADIUS clients and servers have been reported to several vendors and the CERT/CC. They are remotely exploitable, and on most systems result in a denial of service. VU#589523 may allow the execution of code if the attacker has knowledge of the shared secret. VU#589523 - Multiple implementations of the RADIUS protocol contain a digest calculation buffer overflow Multiple implementations of the RADIUS protocol contain a buffer overflow in the function that calculates message digests. During the message digest calculation, a string containing the shared secret is concatenated with a packet received without checking the size of the target buffer. This makes it possible to overflow the buffer with shared secret data. This can lead to a denial of service against the server. If the shared secret is known by the attacker, then it may be possible to use this information to execute arbitrary code with the privileges of the victim RADIUS server or client, usually root. It should be noted that gaining knowledge of the shared secret is not a trivial task. Systems Affected by VU#589523 * Ascend RADIUS versions 1.16 and prior * Cistron RADIUS versions 1.6.4 and prior * FreeRADIUS versions 0.3 and prior * GnuRADIUS versions 0.95 and prior * ICRADIUS versions 0.18.1 and prior * Livingston RADIUS versions 2.1 and earlier * RADIUS (commonly known as Lucent RADIUS) versions 2.1 and prior * RADIUSClient versions 0.3.1 and prior * YARD RADIUS 1.0.19 and prior * XTRADIUS 1.1-pre1 and prior VU#936683 - Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of vendor-specific attributes. Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the vendor-length of vendor-specific attributes. It is possible to cause a denial of service against RADIUS servers with a malformed vendor-specific attribute. RADIUS servers and clients fail to validate the vendor-length inside vendor-specific attributes. The vendor-length shouldn't be less than 2. If vendor-length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. Systems Affected by VU#936683 * Cistron RADIUS versions 1.6.5 and prior * FreeRADIUS versions 0.3 and prior * ICRADIUS versions 0.18.1 and prior * Livingston RADIUS versions 2.1 and earlier * YARD RADIUS 1.0.19 and prior * XTRADIUS 1.1-pre1 and prior II. Impact Both of the vulnerabilities allow an attacker can cause a denial of service of the RADIUS server. On some systems, VU#589523 may allow the execution of code if the attacker has knowledge of the shared secret. III. Solution Apply a patch, or upgrade to the version specified by your vendor. Block packets to the RADIUS server at the firewall Limit access to the RADIUS server to those addresses which are approved to authenticate to the RADIUS server. Note that this does not protect your server from attacks originating from these addresses. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Mac OS X and Mac OS X Server -- Not vulnerable since RADIUS is not shipped with those products. Cisco Cisco Systems has reviewed the following products that implement RADIUS with regards to this vulnerability, and has determined that the following are NOT vulnerable to this issue; Cisco IOS, Cisco Catalyst OS, Cisco Secure PIX firewall, Cisco Secure Access Control System for Windows, Cisco Aironet, Cisco Access Registrar, and Cisco Resource Pooling Management Service. At this time, we are not aware of any Cisco products that are vulnerable to the issues discussed in this report. Cistron You state 2 vulnerabilities: 1. Digest Calculation Buffer Overflow Vulnerability Cistron Radius up to and including 1.6.4 is vulnerable 2. Invalid attribute length calculation on malformed Vendor-Specific attr. Cistron Radius up to and including 1.6.5 is vulnerable Today I have released version 1.6.6, which also fixes (2). The homepage is http://www.radius.cistron.nl/ on which you can also find the ChangeLog. An announcement to the cistron-radius mailinglist was also made today. So everybody should upgrade to 1.6.6. FreeBSD FreeBSD versions prior to 4.5-RELEASE (which is shipping today or tomorrow or so) do contain some of the RADIUS packages mentioned below: radiusd-cistron, freeradius, ascend-radius, icradius, and radiusclient. However, 4.5-RELEASE will not ship with any of these RADIUS packages, except radiusclient. Also, note that the information you [CERT/CC] have forwarded previously indicates that neither Merit RADIUS (radius-basic) nor radiusclient are vulnerable. Fujitsu Fujitsu's UXP/V operating system is not vulnerable because UXP/V does not support the Radius functionality. GnuRADIUS The bug was fixed in version 0.96. Hewlett-Packard We have tested our Version of RADIUS, and we are NOT vulnerable. IBM IBM's AIX operating system, all versions, is not vulnerable as we do not ship the RADIUS project with AIX. Juniper Networks Juniper products have been tested and are not affected by this vulnerability. Lucent Technologies, Inc. Lucent and Ascend "Free" RADIUS server Product Status Reiteration of product End of Life February 14, 2002 The purpose of this announcement is to make official the end of life of products based on the Livingston Enterprises RADIUS server, and to reiterate the terms of the original license. Prior to the Lucent Technologies acquisition of Ascend Communications and Livingston Enterprises, both companies distributed RADIUS servers at no cost to their customers. The initial Livingston server was RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server was based on the Livingston 1.16 product with the most recent version being released in June 1998. Lucent Technologies no longer distributes these products, does not provide any support services for these products, and has not done so for some time. All of these products were distributed as-is without warranty, under the BSD "Open Source" license with the following terms: This software is provided by the copyright holders and contributors ``as is'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the copyright holder or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Lucent Technologies and its contributors. * Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Under this license, other parties are free to develop and release other products and versions. However, as noted in the license terns, Lucent Technologies can not and does not assume any responsibility for any releases, present or future, based on these products. Replacement Product The replacement product is NavisRadius 4.x. NavisRadius is a fully supported commercial product currently available from Lucent Technologies. Please visit the NavisRadius product web site at http://www.lucentradius.com for product information and free evaluation copies. Richard Perlman NavisRadius Product Management Network Operations Software perl@lucent.com +1 510-747-5650 Microsoft We've completed our investigation into this issue based on the information provided and have determined that no version of Microsoft IAS is susceptible to either vulnerability. NetBSD Some of the affected radius daemons are available from NetBSD pkgsrc. It is highly advisable that you update to the latest versions available from pkgsrc. Also note that pkgsrc/security/audit-packages can be used to notify you when new pkgsrc related security issues are announced. Process Software MultiNet and TCPware do not provide a RADIUS implementation. RADIUS (previously known as Lucent RADIUS) I wish to advise that Lucent Radius 2.1 is vulnerable to VU#589523, but is not vulnerable to VU#936683. I have made an unofficial patch to this code to resolve this problem. It will be released in ftp://ftp.vergenet.net/pub/radius/ where previous patches to Radius by myself are available. RADIUSClient I've just uploaded version 0.3.2 of the radiusclient library to ftp://ftp.cityline.net/pub/radiusclient/radiusclient-0.3.2.tar.gz which contains a fix for the reported buffer overflow. Red Hat We do not ship any radius software as part of any of our main operating system. However, Cistron RADIUS was part of our PowerTools add-on software CD from versions 5.2 through 7.1. Thus while not installed by default, some users of Red Hat Linux may be using Cistron RADIUSD. Errata packages that fix this problem and our advisory will be available shortly on our web site at the URL below. At the same time users of the Red Hat Network will be able to update their systems to patched versions using the up2date tool. http://www.redhat.com/support/errata/RHSA-2002-030.html SCO The Caldera NON-Linux operating systems: OpenServer, UnixWare, and Open UNIX, do not ship Radius servers or clients. SGI SGI does not ship with a RADIUS server or client, so we are not vulnerable to these issues. Wind River Systems The current RADIUS client product from Wind River Systems, WindNet RADIUS 1.1, is not susceptible to VU#936683 and VU#589523 in our internal testing. VU#936683 - WindNet RADIUS will pass the packet up to the application. The application may need to be aware of the invalid attribute length. VU#589523 - WindNet RADIUS will drop the packet overflow. Please contact Wind River support at support@windriver.com or call (800) 458-7767 with any test reports related to VU#936683 and VU#589523. XTRADIUS We are trying to relase a new and fixed version of xtradius by the end of the month (version 1.2.1).. Right now the new version is on the CVS and we are testing it... YARD RADIUS Current version 1.0.19 of Yardradius (which is derived from Lucent 2.1) seems suffering both the problems. I think I will release a new version (1.0.20) which solves those buffer overflows before your suggested date [3/4/2002]. _________________________________________________________________ Our thanks to 3APA3A <3APA3A@security.nnov.ru> and Joshua Hill and for their cooperation, reporting and analysis of this vulnerability. _________________________________________________________________ Feedback about this Advisory can be sent to the author, Jason A. Rafail. _________________________________________________________________ Appendix B. - References 1. http://www.kb.cert.org/vuls/id/589523 2. http://www.kb.cert.org/vuls/id/936683 3. http://www.security.nnov.ru/advisories/radius.asp 4. http://www.untruth.org/~josh/security/radius 5. http://www.securityfocus.com/bid/3530 ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History March 04, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPIPKVaCVPMXQI2HJAQFfUwQAq41ely7YkhdKYYM+YdjyGPpbMMqzi8Cb 7mEOX8HByLfVQL4e5wnrJOrIhRvX2jCvDMC6KCfPBR8VQ9DZz6hmj1XqUX6TH1EN T+9SnRCSxuRs8NtkBEWAYrHletfQ02C3v6As85Lqxl7nbYmXt3QrF88T+WNpv3r7 AD7ZeRPeYdI= =wtUX -----END PGP SIGNATURE-----