COMMAND

    RADIUS

SYSTEMS AFFECTED

    Multiple RADIUS Implementations

PROBLEM

    Following is based  on a ISS  Security Advisory.   ISS X-Force has
    discovered buffer overflow  vulnerabilities in two  popular Remote
    Authentication  Dial-In  User  Server  (RADIUS)   implementations.
    RADIUS was originally designed to manage user authentication  into
    dial-up terminal servers and similar  devices.  It has since  been
    used as a standard for access control and user authentication  for
    numerous  Internet  infrastructure  devices,  including   routers,
    switches, and 802.11 Wireless Access Points.

    RADIUS  is  typically  implemented  as  a  "secure" access-control
    solution  for  critical  network   components.   RADIUS  is   also
    implemented as a supplement to weak security measures provided  in
    802.11b  specifications.   The  vulnerabilities  described in this
    advisory may  allow attackers  to launch  Denial of  Service (DoS)
    attacks against  critical network  components, bypass  802.11 WLAN
    access  control,  or  compromise  and  control  protected  network
    resources.

    Affected Versions:
    - Merit 3.6b RADIUS
    - Lucent 2.1-2 RADIUS

    Earlier  versions  of  both  RADIUS  distributions  may  also   be
    affected.

    RADIUS is  a client-server  internetworking security  system.   It
    controls  authentication,  accounting,  and  access-control  in  a
    networked,  multi-user  environment.   It  is  used  primarily for
    authentication  and  access  control  management by wired Internet
    Service   Providers   (ISPs),   wireless   802.11   MAC    address
    authentication, large  corporations, and  educational institutions
    that manage large dial-in modem pools.

    Multiple   buffer   overflow   vulnerabilities   exist   in    the
    authentication routines of various RADIUS implementations.   These
    routines  require  user-supplied  information.   Adequate   bounds
    checking  measures  are  not  taken  when  parsing   user-supplied
    strings.   Generally, the  "radiusd" daemon  (the RADIUS listener)
    runs with super  user privilege.   Attackers may use  knowledge of
    these vulnerabilities to launch  a Denial of Service  (DoS) attack
    against the RADIUS server or execute arbitrary code on the  RADIUS
    server.  If an attacker can gain control of the RADIUS server,  he
    may have the  ability to control  access to all  networked devices
    served by RADIUS, as well as gather login and password information
    for these devices.

    The  vulnerabilities  described  in  this  advisory were primarily
    researched by Chris Spencer and Mark Dowd of the ISS X-Force.

SOLUTION

    ISS  X-Force  recommends  that  all  network  administrators using
    Lucent or Merit RADIUS upgrade to the new versions immediately.

    Merit has identified and addressed the vulnerability.  ISS X-Force
    recommends that  all Merit  3.6B users  upgrade to  version 3.6B1.
    This patched distribution is available at the following address:

        ftp://ftp.merit.edu/radius/releases/

    Lucent  RADIUS  is  no  longer  maintained  by Lucent.  The Lucent
    RADIUS package is maintained by  Simon Horms of VA Linux  Systems.
    ISS  X-Force  worked  with  VA  Linux  Systems to develop and test
    patches  for  the  vulnerabilities  described  in  this  advisory.
    Patches  will  be  available  soon  after  the publication of this
    advisory at the following address:

        ftp://ftp.vergenet.net/pub/lucent_radius/