COMMAND

    RADIUS server

SYSTEMS AFFECTED

    All RADIUS servers based off of Livingston's 1.16 RADIUS server

PROBLEM

    Following info  is based  on   SNI Security  Advisory about remote
    vulnerability  in  RADIUS  servers  derived  from Livingston 1.16.
    That advisory  details vulnerabilities  in RADIUS  server software
    derived from Livingston  RADIUS 1.x allow  remote attacks to  gain
    extended  access   to  the   authentication  server.    In    many
    installations of RADIUS,  exploitation of this  vulnerability will
    allow  an  intruder  to  remotely  obtain  superuser access to the
    machine running  the RADIUS  server.   In all  cases, the extended
    access gained allows an attacker to subvert RADIUS authentication.
    This vulnerability  was discovered  in Livingston  RADIUS 1.16,  a
    popular   publically-available   RADIUS   server   implementation.
    Another  popular  RADIUS  implementation  is  provided  by  Ascend
    Communications;  Ascend  RADIUS,  based  on  the  Livingston  1.16
    implementation, is very similar to the Livingston code and  shares
    the same bugs.

    An exploitable stack overrun  is present in the  RADIUS accounting
    code in Livingston RADIUS 1.16. The problem occurs as a result  of
    inverse resolution  of IP  addresses to  hostnames; the accounting
    routine rad_accounting() copies the resolved hostname to a  buffer
    on it's stack, without checking the length of the hostname  first.
    As a result of this bug, an attacker that controls the DNS  server
    for any IP address can  configure the records for that  address to
    resolve to a  name too large  for the RADIUS  server's buffer; the
    characters in the hostname,  which overwrites the server's  stack,
    can  contain  machine  code  that  the  server  will  be forced to
    execute.

    It  is  important   to  note  that   the  RADIUS  server   request
    authentication (which, in  some cases, involves  packet signatures
    with keyed MD5 hashes) does  not prevent this attack.   The source
    IP address  on RADIUS  accounting requests  is not  checked by the
    server code before the error occurs.

    It is also important  to note that this  is not the only  point in
    the  RADIUS  code  where  hostname  resolution can be exploited to
    subvert the server; unchecked string copies are common  throughout
    the RADIUS code.   Livingston has integrated  a series of  patches
    (written by  SNI) to  address this  problem.   See the  'SOLUTION'
    section below.

SOLUTION

    Livingston RADIUS servers  2.0, 2.0.1 are  not vulnerable.   MERIT
    Radius  has  been  not  tested,  but  it  seems OK.  Also, Cistron
    radiusd is not  vulnerable; it checks  the length of  the returned
    hostname.  Any Livingston customer may upgrade to 2.0.1 at:

        http://www.livingston.com/Forms/radiusform.cgi

    RADIUS 1.16.1 with SNI patches is also available at:

        ftp://ftp.livingston.com/pub/le/radius/radius-1.16.1.tar.Z

    Ascend could not be contacted for an approved fix.  As the  source
    code for Ascend  RADIUS is freely  available, an attempt  has been
    made to  correct all  obvious stack  overruns in  the code; Ascend
    has in no way  examined or approved these  fixes.  You may  obtain
    this patchfile at:

        ftp://ftp.secnet.com/pub/patches/radius.patch

    Suggested  changes  are  incorporated  in  the  ESVAnet   version,
    available at:

        ftp://ftp.esva.net/pub/radius-esva.tar.gz