AUSCERT External Security Bulletin Redistribution

                 ESB-2002.112 -- CERT Advisory CA-2002-06
     Vulnerabilities in Various Implementations of the RADIUS Protocol
                               5 March 2002


        AusCERT Security Bulletin Summary

Product:                Ascend RADIUS versions 1.16 and prior
                        Cistron RADIUS versions 1.6.5 and prior
                        FreeRADIUS versions 0.3 and prior
                        GnuRADIUS versions 0.95 and prior
                        ICRADIUS versions 0.18.1 and prior
                        Livingston RADIUS versions 2.1 and earlier
                        RADIUS (Lucent RADIUS) versions 2.1 and prior
                        RADIUSClient versions 0.3.1 and prior
                        XTRADIUS 1.1-pre1 and prior
                        YARD RADIUS 1.0.19 and prior
Impact:                 Execute Arbitrary Code/Commands
                        Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the 
                         RADIUS Protocol

   Original release date: March 4, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Systems running any of the following RADIUS implementations:

     * Ascend RADIUS versions 1.16 and prior
     * Cistron RADIUS versions 1.6.5 and prior
     * FreeRADIUS versions 0.3 and prior
     * GnuRADIUS versions 0.95 and prior
     * ICRADIUS versions 0.18.1 and prior
     * Livingston RADIUS versions 2.1 and earlier
     * RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior
     * RADIUSClient versions 0.3.1 and prior
     * XTRADIUS 1.1-pre1 and prior
     * YARD RADIUS 1.0.19 and prior


   Remote  Authentication  Dial In User Service (RADIUS) servers are used
   for  authentication,  authorization  and accounting for terminals that
   speak   the   RADIUS  protocol.  Multiple  vulnerabilities  have  been
   discovered in several implementations of the RADIUS protocol.

I. Description

   Two  vulnerabilities  in various implementations of RADIUS clients and
   servers  have  been  reported to several vendors and the CERT/CC. They
   are  remotely  exploitable,  and on most systems result in a denial of
   service. VU#589523 may allow the execution of code if the attacker has
   knowledge of the shared secret.

   VU#589523  - Multiple implementations of the RADIUS protocol contain a
   digest calculation buffer overflow 

     Multiple  implementations  of  the RADIUS protocol contain a buffer
     overflow in the function that calculates message digests.

     During  the  message  digest  calculation,  a string containing the
     shared  secret  is  concatenated  with  a  packet  received without
     checking  the  size of the target buffer. This makes it possible to
     overflow  the  buffer  with  shared secret data. This can lead to a
     denial of service against the server. If the shared secret is known
     by the attacker, then it may be possible to use this information to
     execute  arbitrary  code  with  the privileges of the victim RADIUS
     server  or  client,  usually  root. It should be noted that gaining
     knowledge of the shared secret is not a trivial task.

     Systems Affected by VU#589523

     * Ascend RADIUS versions 1.16 and prior
     * Cistron RADIUS versions 1.6.4 and prior
     * FreeRADIUS versions 0.3 and prior
     * GnuRADIUS versions 0.95 and prior
     * ICRADIUS versions 0.18.1 and prior
     * Livingston RADIUS versions 2.1 and earlier
     * RADIUS (commonly known as Lucent RADIUS) versions 2.1 and prior
     * RADIUSClient versions 0.3.1 and prior
     * YARD RADIUS 1.0.19 and prior
     * XTRADIUS 1.1-pre1 and prior

   VU#936683  -  Multiple  implementations  of the RADIUS protocol do not
   adequately validate the vendor-length of vendor-specific attributes. 

     Various   RADIUS   servers   and  clients  permit  the  passing  of
     vendor-specific     and     user-specific    attributes.    Several
     implementations  of  RADIUS  fail  to  check  the  vendor-length of
     vendor-specific  attributes.  It  is  possible to cause a denial of
     service  against  RADIUS  servers  with a malformed vendor-specific

     RADIUS  servers  and  clients  fail  to  validate the vendor-length
     inside  vendor-specific  attributes. The vendor-length shouldn't be
     less than 2. If vendor-length is less than 2, the RADIUS server (or
     client)  calculates  the attribute length as a negative number. The
     attribute  length is then used in various functions. In most RADIUS
     servers  the  function that performs this calculation is rad_recv()
     or  radrecv(). Some applications may use the same logic to validate
     user-specific attributes and be vulnerable via the same method.

     Systems Affected by VU#936683

     * Cistron RADIUS versions 1.6.5 and prior
     * FreeRADIUS versions 0.3 and prior
     * ICRADIUS versions 0.18.1 and prior
     * Livingston RADIUS versions 2.1 and earlier
     * YARD RADIUS 1.0.19 and prior
     * XTRADIUS 1.1-pre1 and prior

II. Impact

   Both  of  the  vulnerabilities allow an attacker can cause a denial of
   service of the RADIUS server. On some systems, VU#589523 may allow the
   execution of code if the attacker has knowledge of the shared secret.

III. Solution

   Apply a patch, or upgrade to the version specified by your vendor.
   Block packets to the RADIUS server at the firewall

   Limit  access  to  the  RADIUS  server  to  those  addresses which are
   approved to authenticate to the RADIUS server. Note that this does not
   protect your server from attacks originating from these addresses.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  When  vendors  report  new  information  to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their


     Mac  OS X and Mac OS X Server -- Not vulnerable since RADIUS is not
     shipped with those products.


     Cisco  Systems  has  reviewed the following products that implement
     RADIUS  with regards to this vulnerability, and has determined that
     the  following  are  NOT vulnerable to this issue; Cisco IOS, Cisco
     Catalyst OS, Cisco Secure PIX firewall, Cisco Secure Access Control
     System  for  Windows,  Cisco  Aironet,  Cisco Access Registrar, and
     Cisco Resource Pooling Management Service. At this time, we are not
     aware  of  any  Cisco  products  that  are vulnerable to the issues
     discussed in this report.


     You state 2 vulnerabilities:
    1. Digest Calculation Buffer Overflow Vulnerability Cistron Radius up
       to and including 1.6.4 is vulnerable
    2. Invalid  attribute length calculation on malformed Vendor-Specific
       attr. Cistron Radius up to and including 1.6.5 is vulnerable

     Today  I  have  released  version  1.6.6, which also fixes (2). The
     homepage  is  http://www.radius.cistron.nl/  on  which you can also
     find   the   ChangeLog.   An  announcement  to  the  cistron-radius
     mailinglist was also made today.

     So everybody should upgrade to 1.6.6.


     FreeBSD  versions  prior to 4.5-RELEASE (which is shipping today or
     tomorrow  or  so)  do contain some of the RADIUS packages mentioned
     below:  radiusd-cistron,  freeradius,  ascend-radius, icradius, and
     radiusclient.  However, 4.5-RELEASE will not ship with any of these
     RADIUS   packages,   except   radiusclient.  Also,  note  that  the
     information  you [CERT/CC] have forwarded previously indicates that
     neither   Merit   RADIUS   (radius-basic)   nor   radiusclient  are


     Fujitsu's  UXP/V  operating  system is not vulnerable because UXP/V
     does not support the Radius functionality.


     The bug was fixed in version 0.96.


     We have tested our Version of RADIUS, and we are NOT vulnerable.


     IBM's  AIX  operating system, all versions, is not vulnerable as we
     do not ship the RADIUS project with AIX.

 Juniper Networks 

     Juniper  products  have  been  tested  and are not affected by this

 Lucent Technologies, Inc.

     Lucent and Ascend "Free" RADIUS server Product Status
     Reiteration of product End of Life
     February 14, 2002
     The  purpose  of  this  announcement is to make official the end of
     life of products based on the Livingston Enterprises RADIUS server,
     and to reiterate the terms of the original license.
     Prior to the Lucent Technologies acquisition of Ascend Communications
     and Livingston Enterprises, both companies distributed RADIUS servers
     at no cost to their customers. The initial Livingston server was   
     RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server
     was based on the Livingston 1.16 product with the most recent version
     being released in June 1998.  Lucent Technologies no longer
     distributes these products, does not provide any support services for
     these products, and has not done so for some time.
     All of these products were distributed as-is without warranty,
     under the BSD "Open Source" license with the following terms:
     This software is provided by the copyright holders and contributors
     ``as is'' and any express or implied warranties, including, but not
     limited to, the implied warranties of merchantability and fitness for
     a particular purpose are disclaimed. In no event shall the copyright
     holder or contributors be liable for any direct, indirect,
     incidental, special, exemplary, or consequential damages (including,
     but not limited to, procurement of substitute goods or services;
     loss of use, data, or profits; or business interruption) however
     caused and on any theory of liability, whether in contract, strict
     liability, or tort (including negligence or otherwise) arising in any
     way out of the use of this software, even if advised of the
     possibility of such damage.
     Redistribution and use in source and binary forms, with or without
     modification, are permitted provided that the following conditions
     are met:
     *  Redistributions  of  source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.
     * Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the  
     documentation   and/or  other  materials  provided  with  the
     *  All  advertising  materials  mentioning  features or use of this
     software must display the following acknowledgement:
     This product includes software developed by Lucent Technologies and
     its contributors.
     *  Neither  the  name  of the copyright holder nor the names of its 
     contributors  may  be  used  to endorse or promote products derived
     from this software without specific prior written permission.

     Under  this  license, other parties are free to develop and release
     other products and versions. However, as noted in the license terns,
     Lucent Technologies can not and does not assume any responsibility   
     for any releases, present or future, based on these products.
     Replacement Product
     The  replacement product is NavisRadius 4.x. NavisRadius is a fully
     supported  commercial  product  currently  available  from  Lucent
     Technologies.  Please  visit  the  NavisRadius  product web site at
     http://www.lucentradius.com  for  product  information  and  free  
     evaluation copies.
     Richard Perlman
     NavisRadius Product Management
     Network Operations Software
     +1 510-747-5650


     We've  completed  our  investigation  into  this issue based on the
     information  provided  and  have  determined  that  no  version  of
     Microsoft IAS is susceptible to either vulnerability.


     Some  of  the  affected  radius  daemons  are available from NetBSD
     pkgsrc.  It  is  highly  advisable  that  you  update to the latest
     versions     available     from     pkgsrc.    Also    note    that
     pkgsrc/security/audit-packages  can  be used to notify you when new
     pkgsrc related security issues are announced.

 Process Software 

     MultiNet and TCPware do not provide a RADIUS implementation.

 RADIUS (previously known as Lucent RADIUS) 

     I wish to advise that Lucent Radius 2.1 is vulnerable to VU#589523,
     but is not vulnerable to VU#936683.

     I  have  made  an  unofficial  patch  to  this code to resolve this
     problem.  It will be released in ftp://ftp.vergenet.net/pub/radius/
     where previous patches to Radius by myself are available.


     I've  just  uploaded  version  0.3.2 of the radiusclient library to
     which contains a fix for the reported buffer overflow.

 Red Hat 

     We  do  not  ship  any  radius  software as part of any of our main
     operating   system.   However,  Cistron  RADIUS  was  part  of  our
     PowerTools  add-on  software CD from versions 5.2 through 7.1. Thus
     while  not installed by default, some users of Red Hat Linux may be
     using  Cistron  RADIUSD.  Errata packages that fix this problem and
     our  advisory  will be available shortly on our web site at the URL
     below.  At  the same time users of the Red Hat Network will be able
     to update their systems to patched versions using the up2date tool.



     The  Caldera NON-Linux operating systems: OpenServer, UnixWare, and
     Open UNIX, do not ship Radius servers or clients.


     SGI  does  not  ship  with a RADIUS server or client, so we are not
     vulnerable to these issues.

 Wind River Systems 

     The  current RADIUS client product from Wind River Systems, WindNet
     RADIUS  1.1,  is  not susceptible to VU#936683 and VU#589523 in our
     internal testing.

     VU#936683  -  WindNet  RADIUS  will  pass  the  packet  up  to  the
     application.  The  application  may need to be aware of the invalid
     attribute length.

     VU#589523 - WindNet RADIUS will drop the packet overflow.

     Please  contact Wind River support at support@windriver.com or call
     (800)  458-7767  with  any  test  reports  related to VU#936683 and


     We  are trying to relase a new and fixed version of xtradius by the
     end  of the month (version 1.2.1).. Right now the new version is on
     the CVS and we are testing it...


     Current  version 1.0.19 of Yardradius (which is derived from Lucent
     2.1)  seems  suffering  both the problems. I think I will release a
     new  version  (1.0.20)  which  solves those buffer overflows before
     your suggested date [3/4/2002].

   Our thanks to 3APA3A <3APA3A@security.nnov.ru> and Joshua Hill and for
   their cooperation, reporting and analysis of this vulnerability.

   Feedback  about  this  Advisory  can  be  sent to the author, 
   Jason A. Rafail.

Appendix B. - References

    1. http://www.kb.cert.org/vuls/id/589523
    2. http://www.kb.cert.org/vuls/id/936683
    3. http://www.security.nnov.ru/advisories/radius.asp
    4. http://www.untruth.org/~josh/security/radius 
    5. http://www.securityfocus.com/bid/3530

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from


   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

    Getting security information

   CERT  publications  and  other security information are available from
   our web site


   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
March 04, 2002:  Initial release

Version: PGP 6.5.8


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key