GNU Radius SNMP String Length Integer Overflow Denial of Service
Vulnerability

iDEFENSE Security Advisory 09.15.04
www.idefense.com/application/poi/display?id=141&type=vulnerabilities
September 15, 2004

I. BACKGROUND

Radius is used for remote user authentication and accounting.

For more information see:

   http://www.gnu.org/software/radius/radius.html

II. DESCRIPTION

Remote exploitation of an input validation error in version 1.2 of  GNU
radiusd could allow a denial of service.

The vulnerability specifically exists within the asn_decode_string()
function defined in snmplib/asn1.c. When a very large unsigned number is
supplied, it is possible that an integer overflow will occur in the
bounds-checking code. The daemon will then attempt to reference
unallocated memory, resulting in an access violation that causes the
process to terminate.

III. ANALYSIS

Successful exploitation allows unauthenticated remote attackers to cause
the radius daemon (radiusd) to crash. This thereby prevents legitimate
users from accessing systems reliant upon the affected radius server for
authentication. This vulnerability does not seem to allow for execution
of code; it is a denial of service condition only. Exploitation requires
that radiusd be compiled with the --enable-snmp option. SNMP support is
not enabled in the default compile.

IV. DETECTION

iDEFENSE has confirmed that GNU Radius 1.1 and 1.2 are vulnerable, if
configured with --enable-snmp at compile time.

V. WORKAROUND

Disable SNMP support when building radiusd at compile time. Ingress
filtering of UDP port 161 on all interfaces that should not be receiving
SNMP packets may lessen exposure to this vulnerability in affected
environments.

VI. VENDOR FIX

The issue has been addressed in maintenance release version number
1.2.94.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0849 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/10/2004   Initial vendor notification
09/10/2004   Initial vendor response
09/15/2004   Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.