8090872 2002-03-04 14:35 -0500 /448 rader/ CERT Advisory <cert-advisory@cert.org>
Sänt av: owner-root@lysator.liu.se
Importerad: 2002-03-04 22:32 av Brevbäraren
Extern mottagare: cert-advisory@cert.org
Mottagare: Bellman -- The Recursive Hacker <16984>
Mottaget: 2002-03-04 22:33
Mottagare: Bugtraq (import) <21259>
Sänt: 2002-03-05 04:02
Ärende: CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the
------------------------------------------------------------
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Message-ID: <CA-2002-06.1@cert.org>
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the
RADIUS Protocol
Original release date: March 4, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Systems running any of the following RADIUS implementations:
* Ascend RADIUS versions 1.16 and prior * Cistron RADIUS
versions 1.6.5 and prior * FreeRADIUS versions 0.3 and prior *
GnuRADIUS versions 0.95 and prior * ICRADIUS versions 0.18.1 and
prior * Livingston RADIUS versions 2.1 and earlier * RADIUS
(previously known as Lucent RADIUS) versions 2.1 and prior *
RADIUSClient versions 0.3.1 and prior * XTRADIUS 1.1-pre1 and
prior * YARD RADIUS 1.0.19 and prior
Overview
Remote Authentication Dial In User Service (RADIUS) servers are used
for authentication, authorization and accounting for terminals that
speak the RADIUS protocol. Multiple vulnerabilities have been
discovered in several implementations of the RADIUS protocol.
I. Description
Two vulnerabilities in various implementations of RADIUS clients
and servers have been reported to several vendors and the
CERT/CC. They are remotely exploitable, and on most systems
result in a denial of service. VU#589523 may allow the execution
of code if the attacker has knowledge of the shared secret.
VU#589523 - Multiple implementations of the RADIUS protocol
contain a digest calculation buffer overflow
Multiple implementations of the RADIUS protocol contain a
buffer overflow in the function that calculates message digests.
During the message digest calculation, a string containing
the shared secret is concatenated with a packet received
without checking the size of the target buffer. This makes it
possible to overflow the buffer with shared secret
data. This can lead to a denial of service against the
server. If the shared secret is known by the attacker, then it
may be possible to use this information to execute arbitrary
code with the privileges of the victim RADIUS server or
client, usually root. It should be noted that gaining
knowledge of the shared secret is not a trivial task.
Systems Affected by VU#589523
* Ascend RADIUS versions 1.16 and prior
* Cistron RADIUS versions 1.6.4 and prior
* FreeRADIUS versions 0.3 and prior
* GnuRADIUS versions 0.95 and prior
* ICRADIUS versions 0.18.1 and prior
* Livingston RADIUS versions 2.1 and earlier
* RADIUS (commonly known as Lucent RADIUS) versions 2.1 and prior
* RADIUSClient versions 0.3.1 and prior
* YARD RADIUS 1.0.19 and prior
* XTRADIUS 1.1-pre1 and prior
VU#936683 - Multiple implementations of the RADIUS protocol do
not adequately validate the vendor-length of vendor-specific
attributes.
Various RADIUS servers and clients permit the passing of
vendor-specific and user-specific attributes. Several
implementations of RADIUS fail to check the vendor-length of
vendor-specific attributes. It is possible to cause a denial of
service against RADIUS servers with a malformed vendor-specific
attribute.
RADIUS servers and clients fail to validate the
vendor-length inside vendor-specific attributes. The
vendor-length shouldn't be less than 2. If vendor-length is less
than 2, the RADIUS server (or client) calculates the attribute
length as a negative number. The attribute length is then used
in various functions. In most RADIUS servers the function that
performs this calculation is rad_recv() or radrecv(). Some
applications may use the same logic to validate user-specific
attributes and be vulnerable via the same method.
Systems Affected by VU#936683
* Cistron RADIUS versions 1.6.5 and prior
* FreeRADIUS versions 0.3 and prior
* ICRADIUS versions 0.18.1 and prior
* Livingston RADIUS versions 2.1 and earlier
* YARD RADIUS 1.0.19 and prior
* XTRADIUS 1.1-pre1 and prior
II. Impact
Both of the vulnerabilities allow an attacker can cause a
denial of service of the RADIUS server. On some systems, VU#589523
may allow the execution of code if the attacker has knowledge of
the shared secret.
III. Solution
Apply a patch, or upgrade to the version specified by your vendor.
Block packets to the RADIUS server at the firewall
Limit access to the RADIUS server to those addresses which
are approved to authenticate to the RADIUS server. Note that this
does not protect your server from attacks originating from these
addresses.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for
this advisory. When vendors report new information to the
CERT/CC, we update this section and note the changes in our
revision history. If a particular vendor is not listed below,
we have not received their comments.
Apple
Mac OS X and Mac OS X Server -- Not vulnerable since RADIUS is
not shipped with those products.
Cisco
Cisco Systems has reviewed the following products that
implement RADIUS with regards to this vulnerability, and has
determined that the following are NOT vulnerable to this
issue; Cisco IOS, Cisco Catalyst OS, Cisco Secure PIX firewall,
Cisco Secure Access Control System for Windows, Cisco
Aironet, Cisco Access Registrar, and Cisco Resource Pooling
Management Service. At this time, we are not aware of any
Cisco products that are vulnerable to the issues discussed in
this report.
Cistron
You state 2 vulnerabilities:
1. Digest Calculation Buffer Overflow Vulnerability Cistron Radius up
to and including 1.6.4 is vulnerable
2. Invalid attribute length calculation on malformed Vendor-Specific
attr. Cistron Radius up to and including 1.6.5 is vulnerable
Today I have released version 1.6.6, which also fixes (2). The
homepage is http://www.radius.cistron.nl/ on which you can also
find the ChangeLog. An announcement to the cistron-radius
mailinglist was also made today.
So everybody should upgrade to 1.6.6.
FreeBSD
FreeBSD versions prior to 4.5-RELEASE (which is shipping today or
tomorrow or so) do contain some of the RADIUS packages mentioned
below: radiusd-cistron, freeradius, ascend-radius, icradius, and
radiusclient. However, 4.5-RELEASE will not ship with any of these
RADIUS packages, except radiusclient. Also, note that the
information you [CERT/CC] have forwarded previously indicates that
neither Merit RADIUS (radius-basic) nor radiusclient are
vulnerable.
Fujitsu
Fujitsu's UXP/V operating system is not vulnerable because
UXP/V does not support the Radius functionality.
GnuRADIUS
The bug was fixed in version 0.96.
Hewlett-Packard
We have tested our Version of RADIUS, and we are NOT vulnerable.
IBM
IBM's AIX operating system, all versions, is not vulnerable as
we do not ship the RADIUS project with AIX.
Juniper Networks
Juniper products have been tested and are not affected by
this vulnerability.
Lucent Technologies, Inc.
Lucent and Ascend "Free" RADIUS server Product Status
Reiteration of product End of Life
February 14, 2002
The purpose of this announcement is to make official the end
of life of products based on the Livingston Enterprises RADIUS
server, and to reiterate the terms of the original license.
Prior to the Lucent Technologies acquisition of Ascend
Communications and Livingston Enterprises, both companies
distributed RADIUS servers at no cost to their customers. The
initial Livingston server was RADIUS 1.16 followed in June
1999 by RADIUS 2.1. The Ascend server was based on the
Livingston 1.16 product with the most recent version being
released in June 1998. Lucent Technologies no longer
distributes these products, does not provide any support
services for these products, and has not done so for some time.
All of these products were distributed as-is without warranty,
under the BSD "Open Source" license with the following terms:
This software is provided by the copyright holders and
contributors ``as is'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are
disclaimed. In no event shall the copyright holder or
contributors be liable for any direct, indirect, incidental,
special, exemplary, or consequential damages (including, but not
limited to, procurement of substitute goods or services; loss of
use, data, or profits; or business interruption) however caused
and on any theory of liability, whether in contract, strict
liability, or tort (including negligence or otherwise) arising
in any way out of the use of this software, even if advised of
the possibility of such damage.
Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following
conditions are met:
* Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the
distribution.
* All advertising materials mentioning features or use of
this software must display the following acknowledgement: This
product includes software developed by Lucent Technologies and
its contributors.
* Neither the name of the copyright holder nor the names of
its contributors may be used to endorse or promote products
derived from this software without specific prior written
permission.
Under this license, other parties are free to develop and
release other products and versions. However, as noted in the
license terns, Lucent Technologies can not and does not assume
any responsibility for any releases, present or future, based
on these products.
Replacement Product
The replacement product is NavisRadius 4.x. NavisRadius is a
fully supported commercial product currently available from
Lucent Technologies. Please visit the NavisRadius product
web site at http://www.lucentradius.com for product
information and free evaluation copies.
Richard Perlman
NavisRadius Product Management
Network Operations Software
perl@lucent.com
+1 510-747-5650
Microsoft
We've completed our investigation into this issue based on
the information provided and have determined that no
version of Microsoft IAS is susceptible to either vulnerability.
NetBSD
Some of the affected radius daemons are available from NetBSD
pkgsrc. It is highly advisable that you update to the latest
versions available from pkgsrc. Also note that
pkgsrc/security/audit-packages can be used to notify you when new
pkgsrc related security issues are announced.
Process Software
MultiNet and TCPware do not provide a RADIUS implementation.
RADIUS (previously known as Lucent RADIUS)
I wish to advise that Lucent Radius 2.1 is vulnerable to
VU#589523, but is not vulnerable to VU#936683.
I have made an unofficial patch to this code to resolve
this problem. It will be released in
ftp://ftp.vergenet.net/pub/radius/ where previous patches to
Radius by myself are available.
RADIUSClient
I've just uploaded version 0.3.2 of the radiusclient library
to
ftp://ftp.cityline.net/pub/radiusclient/radiusclient-0.3.2.tar.gz
which contains a fix for the reported buffer overflow.
Red Hat
We do not ship any radius software as part of any of our main
operating system. However, Cistron RADIUS was part of our
PowerTools add-on software CD from versions 5.2 through 7.1. Thus
while not installed by default, some users of Red Hat Linux may be
using Cistron RADIUSD. Errata packages that fix this problem and
our advisory will be available shortly on our web site at the URL
below. At the same time users of the Red Hat Network will be able
to update their systems to patched versions using the up2date tool.
http://www.redhat.com/support/errata/RHSA-2002-030.html
SCO
The Caldera NON-Linux operating systems: OpenServer, UnixWare,
and Open UNIX, do not ship Radius servers or clients.
SGI
SGI does not ship with a RADIUS server or client, so we are
not vulnerable to these issues.
Wind River Systems
The current RADIUS client product from Wind River Systems,
WindNet RADIUS 1.1, is not susceptible to VU#936683 and
VU#589523 in our internal testing.
VU#936683 - WindNet RADIUS will pass the packet up to
the application. The application may need to be aware of the
invalid attribute length.
VU#589523 - WindNet RADIUS will drop the packet overflow.
Please contact Wind River support at support@windriver.com or
call (800) 458-7767 with any test reports related to
VU#936683 and VU#589523.
XTRADIUS
We are trying to relase a new and fixed version of xtradius by
the end of the month (version 1.2.1).. Right now the new
version is on the CVS and we are testing it...
YARD RADIUS
Current version 1.0.19 of Yardradius (which is derived from Lucent
2.1) seems suffering both the problems. I think I will release a
new version (1.0.20) which solves those buffer overflows before
your suggested date [3/4/2002].
_________________________________________________________________
Our thanks to 3APA3A <3APA3A@security.nnov.ru> and Joshua Hill and
for their cooperation, reporting and analysis of this
vulnerability.
_________________________________________________________________
Feedback about this Advisory can be sent to the author,
Jason A. Rafail.
_________________________________________________________________
Appendix B. - References
1. http://www.kb.cert.org/vuls/id/589523
2. http://www.kb.cert.org/vuls/id/936683
3. http://www.security.nnov.ru/advisories/radius.asp
4. http://www.untruth.org/~josh/security/radius
5. http://www.securityfocus.com/bid/3530
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2002-06.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more information.
Getting security information
CERT publications and other security information are available
from our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins, send email to majordomo@cert.org. Please include in
the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S. Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
March 04, 2002: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPIPKVaCVPMXQI2HJAQFfUwQAq41ely7YkhdKYYM+YdjyGPpbMMqzi8Cb
7mEOX8HByLfVQL4e5wnrJOrIhRvX2jCvDMC6KCfPBR8VQ9DZz6hmj1XqUX6TH1EN
T+9SnRCSxuRs8NtkBEWAYrHletfQ02C3v6As85Lqxl7nbYmXt3QrF88T+WNpv3r7
AD7ZeRPeYdI=
=wtUX
-----END PGP SIGNATURE-----
(8090872) /CERT Advisory <cert-advisory@cert.org>/(Ombruten)
Kommentar i text 8091853
Kommentar i text 8093092
Kommentar i text 8093094