Remote DoS in FreeRADIUS, all versions.
From: Alan DeKok (aland_at_freeradius.org)
To: email@example.com Date: Thu, 20 Nov 2003 15:03:30 -0500
Application: FreeRADIUS, all versions (http://www.freeradius.org)
A remote DoS, and possibly exploit, exists in all versions of the
FreeRADIUS server. All users should upgrade to the latest version, as
soon as it is officially release. For later announcements, see:
FreeRADIUS is a RADIUS authentication server, hosted at
The users help list had a post this morning from someone claiming to
be Evgeny Legerov <firstname.lastname@example.org>, about a bug in all
versions of the server.
He made no attempt to give the developers time to respond, and issue
a fix. He simply posted to the users list because that was the first
email address associated with the server that he stumbled across. He
made no attempt to contact the developers privately, whose contact
information litters the mailing lists, code, and documentation. He
made no attempt to submit the bug to 'email@example.com', as
requested in the server documentation. He made no attempt to contact
When we responded, and declined to coordinate future notifications
about the vulnerability (due to his lack of prior notification), he
threatened to widely publish the vulnerability, and to include exploit
code (which was not in the original post.)
We do not respond well to blackmail.
We are posting our response here before releasing an updated version
of the server, as the original notification is publicly available.
A RADIUS attribute which has a 'tag' (RFC 2868), and is of type
'string', and which is 2-3 octets long, may cause the server to call
'memcpy' with a length argument of '-1'.
The ~256 bytes of packet contents following the RADIUS attribute are
copied to the current structure on the heap, and any additional packet
contents which are copied will result in over-writing the heap. Since
RADIUS packets may only be 4k in length, after header overhead, the
attacker has about 3.5K of data to use in an attack.
The malformed packet MUST originate from an IP address listed as a
RADIUS client in the servers configuration. However, as RADIUS does
not require packet signatures, any machine on the net may send a
fraudulent UDP packet to the RADIUS server, and cause the DoS.
The reader is reminded that where possible, a RADIUS server SHOULD
be placed on a private network, with firewall rules to prevent unknown
machines from monitoring the RADIUS packet exchange, or from sending
packets to the server.
The original post claimed that the vulnerability applied only to the
Tunnel-Password attribute. That claim was false. Any 'string'
attribute containing a 'tag' could be used in the attack.
On additional investigation, the FreeRADIUS developers discovered
that any Access-Request packet containing a Tunnel-Password attribute
could cause the server to immediately crash, due to dereferencing a
The code is fixed in the current CVS archive of the server. A new
version will be released in a day or so. See the web site for
FreeRADIUS Project Leader