Title: FreeRADIUS Tag Field Heap Corruption Vulnerability
Severity: MODERATE
Description:
FreeRADIUS is a freely available, open-source implementation of the RADIUS protocol. It is available for UNIX and Linux platforms.
FreeRADIUS is prone to a heap-corruption vulnerability when handling of tag-field input. An attacker may be able to exploit this issue to deny service to legitimate users of a vulnerable FreeRADIUS server.
By supplying a malicious tag field to the server, an attacker could force the invocation of the 'memcpy()' function with a negative value. This could potentially cause an error, resulting in the overwriting of heap structures with roughly 3840 bytes of attacker-supplied data.
Because of the method in which 'memcpy()' can be invoked, this vulnerability is likely limited to resulting in a remote denial of service against vulnerable servers. This is because of the casting of the length parameter of the 'memcpy()' function, which will interpret the negative value as an overly large unsigned integer. As a result, an attempt to access an excessive amount of heap memory will occur, likely resulting in the dereferencing of invalid memory. However, the possibility exists that the attacker could exploit this issue to execute code with the privileges of the FreeRADIUS server process.
This issue was initially reported as a vulnerability in how the software handles 'Tunnel-Password' attribute in Access-Request packets, but the issue turns out to have wider scope, affecting tag-field input in general.
This vulnerability affects FreeRADIUS 0.4.0 through 0.9.2.
UPDATE (September 9, 2009): This issue was fixed in 2003 but reintroduced later. FreeRADIUS 1.1.3 through 1.1.7 are also vulnerable.
Affected Products:
- FreeRADIUS FreeRADIUS 0.2.0
- FreeRADIUS FreeRADIUS 0.3.0
- FreeRADIUS FreeRADIUS 0.3.0
- FreeRADIUS FreeRADIUS 0.4.0
- FreeRADIUS FreeRADIUS 0.5.0
- FreeRADIUS FreeRADIUS 0.8.0
- FreeRADIUS FreeRADIUS 0.8.1
- FreeRADIUS FreeRADIUS 0.9.0
- FreeRADIUS FreeRADIUS 0.9.1
- FreeRADIUS FreeRADIUS 0.9.2
- FreeRADIUS FreeRADIUS 1.1.3
- FreeRADIUS FreeRADIUS 1.1.4
- FreeRADIUS FreeRADIUS 1.1.5
- FreeRADIUS FreeRADIUS 1.1.6
- FreeRADIUS FreeRADIUS 1.1.7
- RedHat Enterprise Linux 5 server
- RedHat Enterprise Linux AS 3
- RedHat Enterprise Linux Desktop 5 client
- RedHat Enterprise Linux ES 3
- RedHat Enterprise Linux WS 5
References:
- Alan DeKok: Version 1.1.8 has been released
- FreeRADIUS: FreeRADIUS Homepage
- Jan Lieskovsky: Bug 521912 – FreeRADIUS: Missing check for Tunnel-Password attributes with zero
- Jan Lieskovsky: CVE Request -- FreeRADIUS 1.1.8
- Red Hat: RHSA-2003:386-07 Updated FreeRADIUS packages fix security issue
- alandekok: Fix crash on Tunnel-Password attributes with zero length
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
