CVE-2001-1377
CVSS5.0
发布时间 :2002-03-04 00:00:00
修订时间 :2016-10-17 22:14:45
NMCOS    

[原文]Multiple RADIUS implementations do not properly validate the Vendor-Length of the Vendor-Specific attribute, which allows remote attackers to cause a denial of service (crash) via a Vendor-Length that is less than 2.


[CNNVD]多个RADIUS实现vendor-length域拒绝服务漏洞(CNNVD-200203-001)

        
        Remote Authentication Dial In User Service(RADIUS)服务器可用于对使用RADIUS协议的终端进行认证、授权和统计,基于RFC 2865。它可应用多种操作系统之下。
        部分RADIUS协议实现中存在一个安全漏洞,由于没有对vendor-specific属性的vendor-length域进行正确验证,远程攻击者可以通过发送包含畸形vendor-specific属性的数据包造成RADIUS服务器或客户端崩溃。
        RADIUS服务器和客户端没有正确验证vendor-specific属性里的vendor-length。vendor-length不应小于2。一旦vendor-length小于2,RADIUS服务器(或客户端)就会将该属性长度作为负数计算,这可能造成程序非法访问、异常终止。这一属性长度会被各个函数使用。多数RADIUS服务器中,执行这一计算的函数为rad_recv()或radrecv()。其他使用同一逻辑来验证vendor-specific属性的应用程序也会碰到同一问题。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:miquel_van_smoorenburg_cistron:radius:1.6.3
cpe:/a:miquel_van_smoorenburg_cistron:radius:1.6.4
cpe:/a:icradius:icradius:0.18
cpe:/a:livingston:radius:2.0
cpe:/a:icradius:icradius:0.17
cpe:/a:radiusclient:radiusclient:0.3.1
cpe:/a:openradius:openradius:0.9.3
cpe:/a:icradius:icradius:0.18.1
cpe:/a:livingston:radius:2.0.1
cpe:/a:lucent:radius:2.1Lucent RADIUS 2.1
cpe:/a:lucent:radius:2.0Lucent RADIUS 2.0
cpe:/a:icradius:icradius:0.17b
cpe:/a:yard_radius:yard_radius:1.0_pre13
cpe:/a:miquel_van_smoorenburg_cistron:radius:1.6.1
cpe:/a:yard_radius:yard_radius:1.0_pre15
cpe:/a:miquel_van_smoorenburg_cistron:radius:1.6.2
cpe:/a:yard_radius:yard_radius:1.0_pre14
cpe:/a:miquel_van_smoorenburg_cistron:radius:1.6_.0
cpe:/a:freeradius:freeradius:0.3FreeRADIUS 0.3
cpe:/a:lucent:radius:2.0.1Lucent RADIUS 2.0.1
cpe:/a:freeradius:freeradius:0.2FreeRADIUS 0.2
cpe:/a:openradius:openradius:0.9.1
cpe:/a:gnu:radius:0.95GNU Radius 0.95
cpe:/a:openradius:openradius:0.9.2
cpe:/a:gnu:radius:0.94GNU Radius 0.94
cpe:/a:gnu:radius:0.93GNU Radius 0.93
cpe:/a:xtradius:xtradius:1.1_pre2
cpe:/a:xtradius:xtradius:1.1_pre1
cpe:/a:gnu:radius:0.92.1GNU Radius 0.92.1
cpe:/a:icradius:icradius:0.14
cpe:/a:icradius:icradius:0.16
cpe:/a:miquel_van_smoorenburg_cistron:radius:1.6.5
cpe:/a:icradius:icradius:0.15
cpe:/a:livingston:radius:2.1
cpe:/a:openradius:openradius:0.9
cpe:/a:yard_radius:yard_radius:1.0.16
cpe:/a:openradius:openradius:0.8
cpe:/a:yard_radius:yard_radius:1.0.17
cpe:/a:yard_radius:yard_radius:1.0.18
cpe:/a:yard_radius:yard_radius:1.0.19

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1377
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1377
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200203-001
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:02.asc
(UNKNOWN)  FREEBSD  FreeBSD-SN-02:02
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0362.html
(UNKNOWN)  SUSE  SuSE-SA:2002:013
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000466
(UNKNOWN)  CONECTIVA  CLA-2002:466
http://marc.info/?l=bugtraq&m=101537153021792&w=2
(UNKNOWN)  BUGTRAQ  20020305 SECURITY.NNOV: few vulnerabilities in multiple RADIUS implementations
http://www.cert.org/advisories/CA-2002-06.html
(VENDOR_ADVISORY)  CERT  CA-2002-06
http://www.iss.net/security_center/static/8354.php
(VENDOR_ADVISORY)  XF  radius-vendor-attribute-dos(8354)
http://www.kb.cert.org/vuls/id/936683
(VENDOR_ADVISORY)  CERT-VN  VU#936683
http://www.redhat.com/support/errata/RHSA-2002-030.html
(UNKNOWN)  REDHAT  RHSA-2002:030
http://www.securityfocus.com/bid/4230
(VENDOR_ADVISORY)  BID  4230

- 漏洞信息

多个RADIUS实现vendor-length域拒绝服务漏洞
中危 设计错误
2002-03-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Remote Authentication Dial In User Service(RADIUS)服务器可用于对使用RADIUS协议的终端进行认证、授权和统计,基于RFC 2865。它可应用多种操作系统之下。
        部分RADIUS协议实现中存在一个安全漏洞,由于没有对vendor-specific属性的vendor-length域进行正确验证,远程攻击者可以通过发送包含畸形vendor-specific属性的数据包造成RADIUS服务器或客户端崩溃。
        RADIUS服务器和客户端没有正确验证vendor-specific属性里的vendor-length。vendor-length不应小于2。一旦vendor-length小于2,RADIUS服务器(或客户端)就会将该属性长度作为负数计算,这可能造成程序非法访问、异常终止。这一属性长度会被各个函数使用。多数RADIUS服务器中,执行这一计算的函数为rad_recv()或radrecv()。其他使用同一逻辑来验证vendor-specific属性的应用程序也会碰到同一问题。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 没有合适的临时解决方法,请尽快升级软件。
        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:466)以及相应补丁:
        CLA-2002:466:radiusd-cistron
        链接:
        补丁下载:
        ftp://atualizacoes.conectiva.com.br/5.0/5.0/SRPMS/radiusd-cistron-1.6.6-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/5.0/i386/radiusd-cistron-1.6.6-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/5.1/SRPMS/radiusd-cistron-1.6.6-1U51_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/5.1/i386/radiusd-cistron-1.6.6-1U51_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/6.0/SRPMS/radiusd-cistron-1.6.6-1U60_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/6.0/RPMS/radiusd-cistron-1.6.6-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/7.0/SRPMS/radiusd-cistron-1.6.6-1U70_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/7.0/RPMS/radiusd-cistron-1.6.6-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/5.0/SRPMS/radiusd-cistron-1.6.6-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/5.0/i386/radiusd-cistron-1.6.6-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/5.0/SRPMS/radiusd-cistron-1.6.6-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/5.0/i386/radiusd-cistron-1.6.6-1U50_1cl.i386.rpm
        GNU
        ---
        目前厂商已经发布了0.96版以修复这个安全问题,请到厂商的主页下载:
        
        http://www.gnu.org/software/radius/radius.html

        Lucent
        ------
        在朗讯科技收购Ascend通信公司和Livingston集团之前,这两家公司均为其用户免费提供RADIUS服务器。最初的Livingston服务器是RADIUS 1.16,随后被1999年6月发布的RADIUS 2.1取代。Ascend服务器基于1998年6月发布的最新版Livingston 1.16产品。朗讯科技公司不再发行这些产品,也不再为这些产品提供技术支持。
        仍在使用RADIUS 2.1的用户可以安装下列地址中的相关补丁:
        ftp://ftp.vergenet.net/pub/radius/
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2002:030-08)以及相应补丁:
        RHSA-2002:030-08:Updated radiusd-cistron packages are available
        链接:https://www.redhat.com/support/errata/RHSA-2002-030.html
        补丁下载:
        Red Hat Powertools 7.0:
        SRPMS:
        ftp://updates.redhat.com/7.0/en/powertools/SRPMS/radiusd-cistron-1.6.6-2.src.rpm
        alpha:
        ftp://updates.redhat.com/7.0/en/powertools/alpha/radiusd-cistron-1.6.6-2.alpha.rpm
        i386:
        ftp://updates.redhat.com/7.0/en/powertools/i386/radiusd-cistron-1.6.6-2.i386.rpm
        Red Hat Powertools 7.1:
        SRPMS:
        ftp://updates.redhat.com/7.1/en/powertools/SRPMS/radiusd-cistron-1.6.6-2.src.rpm
        alpha:
        ftp://updates.redhat.com/7.1/en/powertools/alpha/radiusd-cistron-1.6.6-2.alpha.rpm
        i386:
        ftp://updates.redhat.com/7.1/en/powertools/i386/radiusd-cistron-1.6.6-2.i386.rpm
        用如下命令安装补丁:
        # /sbin/service radiusd stop
        # /sbin/chkconfig --del radiusd
        # rpm -e --noscripts radiusd-cistron
        # rpm -ivh radiusd-cistron-1.6.6-2.[arch].rpm
        CistronRADIUS
        -------------
        目前厂商已经发布了1.6.6版以修复这个安全问题,请到厂商的主页下载:
        
        http://www.radius.cistron.nl/

        YARDRADIUS
        ----------
        目前厂商已经发布了1.0.20版以修复这个安全问题,请到厂商的主页下载:
        
        http://prdownloads.sourceforge.net/yardradius/yardradius-1.0.20.tar.gz

- 漏洞信息

7324
Multiple RADIUS Implementation Vendor-Specific Attribute DoS
Denial of Service
Loss of Availability

- 漏洞描述

- 时间线

2001-12-18 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor Radius Short Vendor-Length Field Denial Of Service Vulnerability
Design Error 4230
Yes No
2002-03-04 12:00:00 2009-07-11 10:56:00
This vulnerability discovery credited to 3APA3A <3APA3A@SECURITY.NNOV.RU>.

- 受影响的程序版本

Yard RADIUS Yard RADIUS 1.0.19
Yard RADIUS Yard RADIUS 1.0.18
Yard RADIUS Yard RADIUS 1.0.17
Yard RADIUS Yard RADIUS 1.0.16
XTRadius XTRadius 1.2.1 beta
XTRadius XTRadius 1.1 -pre2
XTRadius XTRadius 1.1 -pre1
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Server 6.5
Turbolinux Turbolinux Server 6.1
Turbolinux Turbolinux Advanced Server 6.0
OpenRADIUS OpenRADIUS 0.9.3
OpenRADIUS OpenRADIUS 0.9.2
OpenRADIUS OpenRADIUS 0.9.1
OpenRADIUS OpenRADIUS 0.9
OpenRADIUS OpenRADIUS 0.8
Miquel van Smoorenburg Cistron Radius 1.6.5
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1.1
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
Miquel van Smoorenburg Cistron Radius 1.6.4
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
Miquel van Smoorenburg Cistron Radius 1.6.3
+ Conectiva Linux 7.0
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
Miquel van Smoorenburg Cistron Radius 1.6.2
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
Miquel van Smoorenburg Cistron Radius 1.6.1
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
Miquel van Smoorenburg Cistron Radius 1.6 .0
Lucent RADIUS 2.1
Lucent RADIUS 2.0 1
Lucent RADIUS 2.0
ICRadius ICRADIUS 0.18.1
ICRadius ICRADIUS 0.18
ICRadius ICRADIUS 0.17 b
ICRadius ICRADIUS 0.17
ICRadius ICRADIUS 0.16
ICRadius ICRADIUS 0.15
ICRadius ICRADIUS 0.14
- Larry Wall Perl 5.0 05
- Larry Wall Perl 5.0 05
- Larry Wall Perl 5.0 05
- MySQL AB MySQL 3.23.10
GNU Radius 0.95
GNU Radius 0.94
GNU Radius 0.93
GNU Radius 0.92.1
FreeRADIUS FreeRADIUS 0.3
FreeRADIUS FreeRADIUS 0.3
FreeRADIUS FreeRADIUS 0.2
Yard RADIUS Yard RADIUS 1.0.20
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
OpenRADIUS OpenRADIUS 0.9.4
Miquel van Smoorenburg Cistron Radius 1.6.6
+ Conectiva Linux 9.0
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
+ S.u.S.E. Linux 8.0
GNU Radius 0.96
FreeRADIUS FreeRADIUS 0.4

- 不受影响的程序版本

Yard RADIUS Yard RADIUS 1.0.20
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
OpenRADIUS OpenRADIUS 0.9.4
Miquel van Smoorenburg Cistron Radius 1.6.6
+ Conectiva Linux 9.0
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
+ S.u.S.E. Linux 8.0
GNU Radius 0.96
FreeRADIUS FreeRADIUS 0.4

- 漏洞讨论

RADIUS is the RFC 2865-specified Remote Authentication Dial In User Service. The protocol has been developed and implemented by numerous vendors, and used on Microsoft Windows, Unix, and Linux operating systems.

A problem has been discovered in the handling of vendor-specific options. When a RADIUS packet is passed to a client or server, neither the client nor server validate the contents of the vendor-length field. When a RADIUS packet with a vendor-length specification of less than 2 is sent, the contents of the vendor-length field is interpretted as a negative number. This number may be passed to other functions of the RADIUS server or client, resulting in an unpredictable reaction, and a likely crash of the server or client.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

TurboLinux has released a security advisory (TLSA-2003-32) containing fixes to address this issue. Users are advised to upgrade using the turbopkg tool.

Vendor fixes available:


FreeRADIUS FreeRADIUS 0.2

FreeRADIUS FreeRADIUS 0.3

FreeRADIUS FreeRADIUS 0.3

OpenRADIUS OpenRADIUS 0.8

OpenRADIUS OpenRADIUS 0.9

OpenRADIUS OpenRADIUS 0.9.1

OpenRADIUS OpenRADIUS 0.9.2

OpenRADIUS OpenRADIUS 0.9.3

GNU Radius 0.92.1

GNU Radius 0.93

GNU Radius 0.94

GNU Radius 0.95

Yard RADIUS Yard RADIUS 1.0.16

Yard RADIUS Yard RADIUS 1.0.17

Yard RADIUS Yard RADIUS 1.0.18

Yard RADIUS Yard RADIUS 1.0.19

XTRadius XTRadius 1.1 -pre2

XTRadius XTRadius 1.1 -pre1

Miquel van Smoorenburg Cistron Radius 1.6 .0

Miquel van Smoorenburg Cistron Radius 1.6.1

Miquel van Smoorenburg Cistron Radius 1.6.2

Miquel van Smoorenburg Cistron Radius 1.6.3

Miquel van Smoorenburg Cistron Radius 1.6.4

Miquel van Smoorenburg Cistron Radius 1.6.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站