Fw: CERT Advisory CA-2002-06 Radius Vulnerabilities
Hi All,
Just checking our radius servers, I noticed that Cistron radius in potato is
still version 1.6.1, and I cannot see any notes of security updates for the
package in the changelog.Debian.gz file.
Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: andrewt@cnl.com.au
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874
"It's the smell! If there is such a thing." Agent Smith - The Matrix
----- Original Message -----
From: "CERT Advisory" <cert-advisory@cert.org>
To: <cert-advisory@cert.org>
Sent: Tuesday, March 05, 2002 6:43 AM
Subject: CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations
of the
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the
> RADIUS Protocol
>
> Original release date: March 4, 2002
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> Systems running any of the following RADIUS implementations:
>
> * Ascend RADIUS versions 1.16 and prior
> * Cistron RADIUS versions 1.6.5 and prior
> * FreeRADIUS versions 0.3 and prior
> * GnuRADIUS versions 0.95 and prior
> * ICRADIUS versions 0.18.1 and prior
> * Livingston RADIUS versions 2.1 and earlier
> * RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior
> * RADIUSClient versions 0.3.1 and prior
> * XTRADIUS 1.1-pre1 and prior
> * YARD RADIUS 1.0.19 and prior
>
> Overview
>
> Remote Authentication Dial In User Service (RADIUS) servers are used
> for authentication, authorization and accounting for terminals that
> speak the RADIUS protocol. Multiple vulnerabilities have been
> discovered in several implementations of the RADIUS protocol.
>
> I. Description
>
> Two vulnerabilities in various implementations of RADIUS clients and
> servers have been reported to several vendors and the CERT/CC. They
> are remotely exploitable, and on most systems result in a denial of
> service. VU#589523 may allow the execution of code if the attacker has
> knowledge of the shared secret.
>
> VU#589523 - Multiple implementations of the RADIUS protocol contain a
> digest calculation buffer overflow
>
> Multiple implementations of the RADIUS protocol contain a buffer
> overflow in the function that calculates message digests.
>
> During the message digest calculation, a string containing the
> shared secret is concatenated with a packet received without
> checking the size of the target buffer. This makes it possible to
> overflow the buffer with shared secret data. This can lead to a
> denial of service against the server. If the shared secret is known
> by the attacker, then it may be possible to use this information to
> execute arbitrary code with the privileges of the victim RADIUS
> server or client, usually root. It should be noted that gaining
> knowledge of the shared secret is not a trivial task.
>
> Systems Affected by VU#589523
>
> * Ascend RADIUS versions 1.16 and prior
> * Cistron RADIUS versions 1.6.4 and prior
> * FreeRADIUS versions 0.3 and prior
> * GnuRADIUS versions 0.95 and prior
> * ICRADIUS versions 0.18.1 and prior
> * Livingston RADIUS versions 2.1 and earlier
> * RADIUS (commonly known as Lucent RADIUS) versions 2.1 and prior
> * RADIUSClient versions 0.3.1 and prior
> * YARD RADIUS 1.0.19 and prior
> * XTRADIUS 1.1-pre1 and prior
>
> VU#936683 - Multiple implementations of the RADIUS protocol do not
> adequately validate the vendor-length of vendor-specific attributes.
>
> Various RADIUS servers and clients permit the passing of
> vendor-specific and user-specific attributes. Several
> implementations of RADIUS fail to check the vendor-length of
> vendor-specific attributes. It is possible to cause a denial of
> service against RADIUS servers with a malformed vendor-specific
> attribute.
>
> RADIUS servers and clients fail to validate the vendor-length
> inside vendor-specific attributes. The vendor-length shouldn't be
> less than 2. If vendor-length is less than 2, the RADIUS server (or
> client) calculates the attribute length as a negative number. The
> attribute length is then used in various functions. In most RADIUS
> servers the function that performs this calculation is rad_recv()
> or radrecv(). Some applications may use the same logic to validate
> user-specific attributes and be vulnerable via the same method.
>
> Systems Affected by VU#936683
>
> * Cistron RADIUS versions 1.6.5 and prior
> * FreeRADIUS versions 0.3 and prior
> * ICRADIUS versions 0.18.1 and prior
> * Livingston RADIUS versions 2.1 and earlier
> * YARD RADIUS 1.0.19 and prior
> * XTRADIUS 1.1-pre1 and prior
>
> II. Impact
>
> Both of the vulnerabilities allow an attacker can cause a denial of
> service of the RADIUS server. On some systems, VU#589523 may allow the
> execution of code if the attacker has knowledge of the shared secret.
>
> III. Solution
>
> Apply a patch, or upgrade to the version specified by your vendor.
> Block packets to the RADIUS server at the firewall
>
> Limit access to the RADIUS server to those addresses which are
> approved to authenticate to the RADIUS server. Note that this does not
> protect your server from attacks originating from these addresses.
>
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for this
> advisory. When vendors report new information to the CERT/CC, we
> update this section and note the changes in our revision history. If a
> particular vendor is not listed below, we have not received their
> comments.
>
> Apple
>
> Mac OS X and Mac OS X Server -- Not vulnerable since RADIUS is not
> shipped with those products.
>
> Cisco
>
> Cisco Systems has reviewed the following products that implement
> RADIUS with regards to this vulnerability, and has determined that
> the following are NOT vulnerable to this issue; Cisco IOS, Cisco
> Catalyst OS, Cisco Secure PIX firewall, Cisco Secure Access Control
> System for Windows, Cisco Aironet, Cisco Access Registrar, and
> Cisco Resource Pooling Management Service. At this time, we are not
> aware of any Cisco products that are vulnerable to the issues
> discussed in this report.
>
> Cistron
>
> You state 2 vulnerabilities:
> 1. Digest Calculation Buffer Overflow Vulnerability Cistron Radius up
> to and including 1.6.4 is vulnerable
> 2. Invalid attribute length calculation on malformed Vendor-Specific
> attr. Cistron Radius up to and including 1.6.5 is vulnerable
>
> Today I have released version 1.6.6, which also fixes (2). The
> homepage is http://www.radius.cistron.nl/ on which you can also
> find the ChangeLog. An announcement to the cistron-radius
> mailinglist was also made today.
>
> So everybody should upgrade to 1.6.6.
>
> FreeBSD
>
> FreeBSD versions prior to 4.5-RELEASE (which is shipping today or
> tomorrow or so) do contain some of the RADIUS packages mentioned
> below: radiusd-cistron, freeradius, ascend-radius, icradius, and
> radiusclient. However, 4.5-RELEASE will not ship with any of these
> RADIUS packages, except radiusclient. Also, note that the
> information you [CERT/CC] have forwarded previously indicates that
> neither Merit RADIUS (radius-basic) nor radiusclient are
> vulnerable.
>
> Fujitsu
>
> Fujitsu's UXP/V operating system is not vulnerable because UXP/V
> does not support the Radius functionality.
>
> GnuRADIUS
>
> The bug was fixed in version 0.96.
>
> Hewlett-Packard
>
> We have tested our Version of RADIUS, and we are NOT vulnerable.
>
> IBM
>
> IBM's AIX operating system, all versions, is not vulnerable as we
> do not ship the RADIUS project with AIX.
>
> Juniper Networks
>
> Juniper products have been tested and are not affected by this
> vulnerability.
>
> Lucent Technologies, Inc.
>
> Lucent and Ascend "Free" RADIUS server Product Status
>
> Reiteration of product End of Life
> February 14, 2002
>
> The purpose of this announcement is to make official the end of
> life of products based on the Livingston Enterprises RADIUS server,
> and to reiterate the terms of the original license.
>
> Prior to the Lucent Technologies acquisition of Ascend Communications
> and Livingston Enterprises, both companies distributed RADIUS servers
> at no cost to their customers. The initial Livingston server was
> RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server
> was based on the Livingston 1.16 product with the most recent version
> being released in June 1998. Lucent Technologies no longer
> distributes these products, does not provide any support services for
> these products, and has not done so for some time.
>
> All of these products were distributed as-is without warranty,
> under the BSD "Open Source" license with the following terms:
>
> This software is provided by the copyright holders and contributors
> ``as is'' and any express or implied warranties, including, but not
> limited to, the implied warranties of merchantability and fitness for
> a particular purpose are disclaimed. In no event shall the copyright
> holder or contributors be liable for any direct, indirect,
> incidental, special, exemplary, or consequential damages (including,
> but not limited to, procurement of substitute goods or services;
> loss of use, data, or profits; or business interruption) however
> caused and on any theory of liability, whether in contract, strict
> liability, or tort (including negligence or otherwise) arising in any
> way out of the use of this software, even if advised of the
> possibility of such damage.
>
> Redistribution and use in source and binary forms, with or without
> modification, are permitted provided that the following conditions
> are met:
>
> * Redistributions of source code must retain the above copyright
> notice, this list of conditions and the following disclaimer.
>
> * Redistributions in binary form must reproduce the above copyright
> notice, this list of conditions and the following disclaimer in the
> documentation and/or other materials provided with the
> distribution.
>
> * All advertising materials mentioning features or use of this
> software must display the following acknowledgement:
> This product includes software developed by Lucent Technologies and
> its contributors.
>
> * Neither the name of the copyright holder nor the names of its
> contributors may be used to endorse or promote products derived
> from this software without specific prior written permission.
>
> Under this license, other parties are free to develop and release
> other products and versions. However, as noted in the license terns,
> Lucent Technologies can not and does not assume any responsibility
> for any releases, present or future, based on these products.
>
> Replacement Product
>
> The replacement product is NavisRadius 4.x. NavisRadius is a fully
> supported commercial product currently available from Lucent
> Technologies. Please visit the NavisRadius product web site at
> http://www.lucentradius.com for product information and free
> evaluation copies.
>
> Richard Perlman
> NavisRadius Product Management
> Network Operations Software
> perl@lucent.com
> +1 510-747-5650
>
>
>
> Microsoft
>
> We've completed our investigation into this issue based on the
> information provided and have determined that no version of
> Microsoft IAS is susceptible to either vulnerability.
>
> NetBSD
>
> Some of the affected radius daemons are available from NetBSD
> pkgsrc. It is highly advisable that you update to the latest
> versions available from pkgsrc. Also note that
> pkgsrc/security/audit-packages can be used to notify you when new
> pkgsrc related security issues are announced.
>
> Process Software
>
> MultiNet and TCPware do not provide a RADIUS implementation.
>
> RADIUS (previously known as Lucent RADIUS)
>
> I wish to advise that Lucent Radius 2.1 is vulnerable to VU#589523,
> but is not vulnerable to VU#936683.
>
> I have made an unofficial patch to this code to resolve this
> problem. It will be released in ftp://ftp.vergenet.net/pub/radius/
> where previous patches to Radius by myself are available.
>
> RADIUSClient
>
> I've just uploaded version 0.3.2 of the radiusclient library to
> ftp://ftp.cityline.net/pub/radiusclient/radiusclient-0.3.2.tar.gz
> which contains a fix for the reported buffer overflow.
>
> Red Hat
>
> We do not ship any radius software as part of any of our main
> operating system. However, Cistron RADIUS was part of our
> PowerTools add-on software CD from versions 5.2 through 7.1. Thus
> while not installed by default, some users of Red Hat Linux may be
> using Cistron RADIUSD. Errata packages that fix this problem and
> our advisory will be available shortly on our web site at the URL
> below. At the same time users of the Red Hat Network will be able
> to update their systems to patched versions using the up2date tool.
>
> http://www.redhat.com/support/errata/RHSA-2002-030.html
>
> SCO
>
> The Caldera NON-Linux operating systems: OpenServer, UnixWare, and
> Open UNIX, do not ship Radius servers or clients.
>
> SGI
>
> SGI does not ship with a RADIUS server or client, so we are not
> vulnerable to these issues.
>
> Wind River Systems
>
> The current RADIUS client product from Wind River Systems, WindNet
> RADIUS 1.1, is not susceptible to VU#936683 and VU#589523 in our
> internal testing.
>
> VU#936683 - WindNet RADIUS will pass the packet up to the
> application. The application may need to be aware of the invalid
> attribute length.
>
> VU#589523 - WindNet RADIUS will drop the packet overflow.
>
> Please contact Wind River support at support@windriver.com or call
> (800) 458-7767 with any test reports related to VU#936683 and
> VU#589523.
>
> XTRADIUS
>
> We are trying to relase a new and fixed version of xtradius by the
> end of the month (version 1.2.1).. Right now the new version is on
> the CVS and we are testing it...
>
> YARD RADIUS
>
> Current version 1.0.19 of Yardradius (which is derived from Lucent
> 2.1) seems suffering both the problems. I think I will release a
> new version (1.0.20) which solves those buffer overflows before
> your suggested date [3/4/2002].
> _________________________________________________________________
>
> Our thanks to 3APA3A <3APA3A@security.nnov.ru> and Joshua Hill and for
> their cooperation, reporting and analysis of this vulnerability.
> _________________________________________________________________
>
> Feedback about this Advisory can be sent to the author,
> Jason A. Rafail.
> _________________________________________________________________
>
> Appendix B. - References
>
> 1. http://www.kb.cert.org/vuls/id/589523
> 2. http://www.kb.cert.org/vuls/id/936683
> 3. http://www.security.nnov.ru/advisories/radius.asp
> 4. http://www.untruth.org/~josh/security/radius
> 5. http://www.securityfocus.com/bid/3530
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2002-06.html
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert@cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for emergencies
> during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to majordomo@cert.org. Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2002 Carnegie Mellon University.
>
> Revision History
> March 04, 2002: Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBPIPKVaCVPMXQI2HJAQFfUwQAq41ely7YkhdKYYM+YdjyGPpbMMqzi8Cb
> 7mEOX8HByLfVQL4e5wnrJOrIhRvX2jCvDMC6KCfPBR8VQ9DZz6hmj1XqUX6TH1EN
> T+9SnRCSxuRs8NtkBEWAYrHletfQ02C3v6As85Lqxl7nbYmXt3QrF88T+WNpv3r7
> AD7ZeRPeYdI=
> =wtUX
> -----END PGP SIGNATURE-----
>
Reply to: