Application: FreeRADIUS, all versions (http://www.freeradius.org) Summary: A remote DoS, and possibly exploit, exists in all versions of the FreeRADIUS server. All users should upgrade to the latest version, as soon as it is officially release. For later announcements, see: http://www.freeradius.org Background: FreeRADIUS is a RADIUS authentication server, hosted at http://www.freeradius.org. The users help list had a post this morning from someone claiming to be Evgeny Legerov <e.legerov@s-quadra.com>, about a bug in all versions of the server. He made no attempt to give the developers time to respond, and issue a fix. He simply posted to the users list because that was the first email address associated with the server that he stumbled across. He made no attempt to contact the developers privately, whose contact information litters the mailing lists, code, and documentation. He made no attempt to submit the bug to 'patches@freeradius.org', as requested in the server documentation. He made no attempt to contact security@freeradius.org When we responded, and declined to coordinate future notifications about the vulnerability (due to his lack of prior notification), he threatened to widely publish the vulnerability, and to include exploit code (which was not in the original post.) We do not respond well to blackmail. We are posting our response here before releasing an updated version of the server, as the original notification is publicly available. Vulnerability: A RADIUS attribute which has a 'tag' (RFC 2868), and is of type 'string', and which is 2-3 octets long, may cause the server to call 'memcpy' with a length argument of '-1'. The ~256 bytes of packet contents following the RADIUS attribute are copied to the current structure on the heap, and any additional packet contents which are copied will result in over-writing the heap. Since RADIUS packets may only be 4k in length, after header overhead, the attacker has about 3.5K of data to use in an attack. The malformed packet MUST originate from an IP address listed as a RADIUS client in the servers configuration. However, as RADIUS does not require packet signatures, any machine on the net may send a fraudulent UDP packet to the RADIUS server, and cause the DoS. The reader is reminded that where possible, a RADIUS server SHOULD be placed on a private network, with firewall rules to prevent unknown machines from monitoring the RADIUS packet exchange, or from sending packets to the server. The original post claimed that the vulnerability applied only to the Tunnel-Password attribute. That claim was false. Any 'string' attribute containing a 'tag' could be used in the attack. On additional investigation, the FreeRADIUS developers discovered that any Access-Request packet containing a Tunnel-Password attribute could cause the server to immediately crash, due to dereferencing a NULL pointer. Fix: The code is fixed in the current CVS archive of the server. A new version will be released in a day or so. See the web site for announcements. Alan DeKok. FreeRADIUS Project Leader
