Vulnerabilities > CVE-2004-0961 - Attribute Decoding Denial Of Service vulnerability in FreeRADIUS

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
freeradius
redhat
nessus

Summary

Memory leak in FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (memory exhaustion) via a series of Access-Request packets with (1) Ascend-Send-Secret, (2) Ascend-Recv-Secret, or (3) Tunnel-Password attributes.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200409-29.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200409-29 (FreeRADIUS: Multiple Denial of Service vulnerabilities) There are undisclosed defects in the way FreeRADIUS handles incorrect received packets. Impact : A remote attacker could send specially crafted packets to the FreeRADIUS server to deny service to other users by crashing the server. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id14797
    published2004-09-23
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/14797
    titleGLSA-200409-29 : FreeRADIUS: Multiple Denial of Service vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200409-29.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14797);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:41");
    
      script_cve_id("CVE-2004-0938", "CVE-2004-0960", "CVE-2004-0961");
      script_xref(name:"GLSA", value:"200409-29");
    
      script_name(english:"GLSA-200409-29 : FreeRADIUS: Multiple Denial of Service vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200409-29
    (FreeRADIUS: Multiple Denial of Service vulnerabilities)
    
        There are undisclosed defects in the way FreeRADIUS handles incorrect
        received packets.
      
    Impact :
    
        A remote attacker could send specially crafted packets to the
        FreeRADIUS server to deny service to other users by crashing the
        server.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      # http://www.freeradius.org/security.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://freeradius.org/security/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200409-29"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All FreeRADIUS users should upgrade to the latest version:
        # emerge sync
        # emerge -pv '>=net-dialup/freeradius-1.0.1'
        # emerge '>=net-dialup/freeradius-1.0.1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:freeradius");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/09/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-dialup/freeradius", unaffected:make_list("ge 1.0.1"), vulnerable:make_list("lt 1.0.1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "FreeRADIUS");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-609.NASL
    descriptionUpdated freeradius packages that fix a number of denial of service vulnerabilities as well as minor bugs are now available for Red Hat Enterprise Linux 3. FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A number of flaws were found in FreeRADIUS versions prior to 1.0.1. An attacker who is able to send packets to the server could construct carefully constructed packets in such a way as to cause the server to consume memory or crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0938, CVE-2004-0960, and CVE-2004-0961 to these issues. Users of FreeRADIUS should update to these erratum packages that contain FreeRADIUS 1.0.1, which is not vulnerable to these issues and also corrects a number of bugs.
    last seen2020-06-01
    modified2020-06-02
    plugin id15701
    published2004-11-13
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15701
    titleRHEL 3 : freeradius (RHSA-2004:609)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2004:609. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15701);
      script_version ("1.23");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2004-0938", "CVE-2004-0960", "CVE-2004-0961");
      script_xref(name:"RHSA", value:"2004:609");
    
      script_name(english:"RHEL 3 : freeradius (RHSA-2004:609)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated freeradius packages that fix a number of denial of service
    vulnerabilities as well as minor bugs are now available for Red Hat
    Enterprise Linux 3.
    
    FreeRADIUS is a high-performance and highly configurable free RADIUS
    server designed to allow centralized authentication and authorization
    for a network.
    
    A number of flaws were found in FreeRADIUS versions prior to 1.0.1. An
    attacker who is able to send packets to the server could construct
    carefully constructed packets in such a way as to cause the server to
    consume memory or crash. The Common Vulnerabilities and Exposures
    project (cve.mitre.org) has assigned the names CVE-2004-0938,
    CVE-2004-0960, and CVE-2004-0961 to these issues.
    
    Users of FreeRADIUS should update to these erratum packages that
    contain FreeRADIUS 1.0.1, which is not vulnerable to these issues and
    also corrects a number of bugs."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0938"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0960"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0961"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2004:609"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected freeradius package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:freeradius");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/11/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/11/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2004:609";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL3", reference:"freeradius-1.0.1-1.RHEL3")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeradius");
      }
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_20DFD1341D3911D99BE9000C6E8F12EF.NASL
    descriptionA remote attacker may be able to crash the freeRADIUS Server due to three independent bugs in the function which does improper checking values while processing RADIUS attributes.
    last seen2020-06-01
    modified2020-06-02
    plugin id18867
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18867
    titleFreeBSD : freeradius -- denial-of-service vulnerability (20dfd134-1d39-11d9-9be9-000c6e8f12ef)

Oval

accepted2013-04-29T04:00:33.974-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionMemory leak in FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (memory exhaustion) via a series of Access-Request packets with (1) Ascend-Send-Secret, (2) Ascend-Recv-Secret, or (3) Tunnel-Password attributes.
familyunix
idoval:org.mitre.oval:def:10024
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleMemory leak in FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (memory exhaustion) via a series of Access-Request packets with (1) Ascend-Send-Secret, (2) Ascend-Recv-Secret, or (3) Tunnel-Password attributes.
version26

Redhat

rpms
  • freeradius-0:1.0.1-1.RHEL3
  • freeradius-debuginfo-0:1.0.1-1.RHEL3