Hi,
CERT tocmai a lansat un advisory in privinta unor vulnerabilitati ale
serverelor si clientilor RADIUS la anumite pachete malformate ("digest
calculation buffer overflow" si "no validation for the vendor-length of
vendor-specific attributes"). Un atacator poate provoca denial of
service pe server-ul RADIUS si chiar poate executa cod daca el cunoaste
cheia secreta comuna.
Sunt afectate:
* Ascend RADIUS versions 1.16 and prior
* Cistron RADIUS versions 1.6.5 and prior
* FreeRADIUS versions 0.3 and prior
* GnuRADIUS versions 0.95 and prior
* ICRADIUS versions 0.18.1 and prior
* Livingston RADIUS versions 2.1 and earlier
* RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior
* RADIUSClient versions 0.3.1 and prior
* XTRADIUS 1.1-pre1 and prior
* YARD RADIUS 1.0.19 and prior
Pachetele RADIUS distribuite cu FreeBSD 4.5-RELEASE sunt vulnerabile.
Referinte:
1. http://www.kb.cert.org/vuls/id/589523
2. http://www.kb.cert.org/vuls/id/936683
3. http://www.security.nnov.ru/advisories/radius.asp
4. http://www.untruth.org/~josh/security/radius
5. http://www.securityfocus.com/bid/3530
CERT advisory:
http://www.cert.org/advisories/CA-2002-06.html
Adrian Penisoara
Ady (@rofug.ro)
Fondator ROFUG
___________________________________________________________________
Send 'unsubscribe rofug-announce' to [EMAIL PROTECTED] to unsubscribe
