FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Missing message validation in libradius(3)

Affected packages
13.0 <= FreeBSD < 13.0_1
12.2 <= FreeBSD < 12.2_7
11.4 <= FreeBSD < 11.4_10

Details

VuXML ID 107c7a76-beaa-11eb-b87a-901b0ef719ab
Discovery 2021-05-27
Entry 2021-05-27

Problem Description:

libradius did not perform sufficient validation of received messages.

rad_get_attr(3) did not verify that the attribute length is valid before subtracting the length of the Type and Length fields. As a result, it could return success while also providing a bogus length of SIZE_T_MAX - 2 for the Value field.

When processing attributes to find an optional authenticator, is_valid_response() failed to verify that each attribute length is non-zero and could thus enter an infinite loop.

Impact:

A server may use libradius(3) to process messages from RADIUS clients. In this case, a malicious client could trigger a denial-of-service in the server. A client using libradius(3) to process messages from a server is susceptible to the same problem.

The impact of the rad_get_attr(3) bug depends on how the returned length is validated and used by the consumer. It is possible that libradius(3) applications will crash or enter an infinite loop when calling rad_get_attr(3) on untrusted RADIUS messages.

References

CVE Name CVE-2021-29629
FreeBSD Advisory SA-21:12.libradius