CVE-2004-0849
CVSS5.0
发布时间 :2004-12-23 00:00:00
修订时间 :2008-09-05 16:39:36
NMCOPS    

[原文]Integer overflow in the asn_decode_string() function defined in asn1.c in radiusd for GNU Radius 1.1 and 1.2 before 1.2.94, when compiled with the --enable-snmp option, allows remote attackers to cause a denial of service (daemon crash) via certain SNMP requests.


[CNNVD]GNU Radius SNMP字符串长度整数溢出拒绝服务漏洞(CNNVD-200412-110)

        
        GNU Radius是一款开放源代码远程用户验证和审计服务器。
        GNU Radius asn_decode_string()函数存在整数溢出问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        问题存在于snmplib/asn1.c中的asn_decode_string()函数,当提交一个很大的非符号数值时,就在边界检查代码中发生整数溢出,守护进程就会引用未分配内存而导致访问冲突,而造成拒绝服务。
        此漏洞需要radiusd以--enable-snmp选项编译才存在,默认编译不支持SNMP。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gnu:radius:0.93GNU Radius 0.93
cpe:/a:gnu:radius:0.94GNU Radius 0.94
cpe:/a:gnu:radius:0.96GNU Radius 0.96
cpe:/a:gnu:radius:1.1GNU Radius 1.1
cpe:/a:gnu:radius:0.95GNU Radius 0.95
cpe:/a:gnu:radius:1.2GNU Radius 1.2
cpe:/a:gnu:radius:0.92.1GNU Radius 0.92.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0849
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0849
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-110
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17391
(VENDOR_ADVISORY)  XF  radius-asndecodestring-bo(17391)
http://www.idefense.com/application/poi/display?id=141&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20040915 GNU Radius SNMP String Length Integer Overflow Denial of Service Vulnerability
http://lists.gnu.org/archive/html/info-gnu-radius/2004-09/msg00000.html
(VENDOR_ADVISORY)  MLIST  [Info-gnu-radius] 20040915 GNU Radius 1.2.94.

- 漏洞信息

GNU Radius SNMP字符串长度整数溢出拒绝服务漏洞
中危 边界条件错误
2004-12-23 00:00:00 2005-10-20 00:00:00
远程  
        
        GNU Radius是一款开放源代码远程用户验证和审计服务器。
        GNU Radius asn_decode_string()函数存在整数溢出问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        问题存在于snmplib/asn1.c中的asn_decode_string()函数,当提交一个很大的非符号数值时,就在边界检查代码中发生整数溢出,守护进程就会引用未分配内存而导致访问冲突,而造成拒绝服务。
        此漏洞需要radiusd以--enable-snmp选项编译才存在,默认编译不支持SNMP。
        

- 公告与补丁

        厂商补丁:
        GNU
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级到GNU Radius 1.2.94版本:
        
        http://www.gnu.org/software/radius/radius.html

- 漏洞信息 (F34383)

iDEFENSE Security Advisory 2004-09-15.t (PacketStormID:F34383)
2004-09-17 00:00:00
iDefense Labs  idefense.com
advisory,remote,denial of service,overflow
CVE-2004-0849
[点击下载]

iDEFENSE Security Advisory 09.15.04 - Remote exploitation of an input validation error in version 1.2 of GNU radiusd could allow a denial of service. The vulnerability specifically exists within the asn_decode_string() function defined in snmplib/asn1.c. When a very large unsigned number is supplied, it is possible that an integer overflow will occur in the bounds-checking code. The daemon will then attempt to reference unallocated memory, resulting in an access violation that causes the process to terminate.

GNU Radius SNMP String Length Integer Overflow Denial of Service
Vulnerability

iDEFENSE Security Advisory 09.15.04
www.idefense.com/application/poi/display?id=141&type=vulnerabilities
September 15, 2004

I. BACKGROUND

Radius is used for remote user authentication and accounting.

For more information see:

   http://www.gnu.org/software/radius/radius.html

II. DESCRIPTION

Remote exploitation of an input validation error in version 1.2 of  GNU
radiusd could allow a denial of service.

The vulnerability specifically exists within the asn_decode_string()
function defined in snmplib/asn1.c. When a very large unsigned number is
supplied, it is possible that an integer overflow will occur in the
bounds-checking code. The daemon will then attempt to reference
unallocated memory, resulting in an access violation that causes the
process to terminate.

III. ANALYSIS

Successful exploitation allows unauthenticated remote attackers to cause
the radius daemon (radiusd) to crash. This thereby prevents legitimate
users from accessing systems reliant upon the affected radius server for
authentication. This vulnerability does not seem to allow for execution
of code; it is a denial of service condition only. Exploitation requires
that radiusd be compiled with the --enable-snmp option. SNMP support is
not enabled in the default compile.

IV. DETECTION

iDEFENSE has confirmed that GNU Radius 1.1 and 1.2 are vulnerable, if
configured with --enable-snmp at compile time.

V. WORKAROUND

Disable SNMP support when building radiusd at compile time. Ingress
filtering of UDP port 161 on all interfaces that should not be receiving
SNMP packets may lessen exposure to this vulnerability in affected
environments.

VI. VENDOR FIX

The issue has been addressed in maintenance release version number
1.2.94.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0849 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/10/2004   Initial vendor notification
09/10/2004   Initial vendor response
09/15/2004   Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

9992
GNU Radius asn_decode_string Overflow DoS
Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2004-09-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.2.94 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GNU Radius SNMP String Length Remote Denial Of Service Vulnerability
Boundary Condition Error 11198
Yes No
2004-09-15 12:00:00 2009-07-12 07:06:00
The discoverer of this vulnerability wishes to remain anonymous.

- 受影响的程序版本

GNU Radius 1.1
GNU Radius 0.96
GNU Radius 0.95
GNU Radius 0.94
GNU Radius 0.93
GNU Radius 0.92.1
GNU Radius 1.2

- 漏洞讨论

GNU Radius is reported prone to a remote integer overrun vulnerability. When GNU Radius handles SNMP string lengths that contain a large unsigned number, a memory access violation will occur this will cause the affected service to crash.

A remote attacker may exploit this condition to cause the affected server to crash.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

It is reported that this vulnerability is addressed in the GNU Radius version 1.2.94 maintenance release. This download was not available at the time of writing, customers are advised to contact the vendor for further details regarding obtaining and applying an appropriate update.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站