ISS warns of security flaw in RADIUS servers

Internet Security Systems Inc. has spotted what's believed to be the first known buffer-overflow vulnerability associated with remote-access servers, which could allow a hacker to gain control of an ISP's network.

The flaw is linked to the remote-access servers used by ISPs to authenticate users logging on to gain access to Internet services.

Hackers craft all kinds of buffer-overflow exploits as strings of commands that can be used to try and gain control of a server when its buffer doesn't filter the attack strings through bound-checking measures. Web and application servers, in particular, are well-known buffer-overflow targets, but security software firm ISS, has discovered that some RADIUS-based remote-access servers are vulnerable to this type of attack as well.

RADIUS, which stands for Remote Authentication Dial-In User Server, is an Internet Engineering Task Force (IETF) remote-access server standard for managing multi-user names and passwords in addition to maintaining account logs for a network.

The Lucent Technologies Inc. RADIUS server and the Merit RADIUS server can both be compromised by buffer-overflow attacks, according to Chris Rouland, director at X-Force, an ISS division that issues advisories on newly discovered security problems.

"The danger here is that a hacker could compromise the ISP's RADIUS server and steal the account passwords and compromise the internal network of the ISP," Rouland said. He emphasized that ISS did not publish the actual command-string exploit that could be used to compromise Lucent and Merit RADIUS Servers.

Lucent RADIUS Server is no longer maintained by Lucent. However, ISS worked with VA Linux Systems Inc., which maintains the package, to develop a patch for the buffer-overflow vulnerability spotted by ISS.

Merit has also made a patch to remedy the buffer-overflow vulnerabilty in Merit 3.6b RADIUS. ISS urged ISPs to upgrade their RADIUS Servers and warned that earlier versions of both RADIUS products may be affected, too.

Rouland added that the Lucent and Merit RADIUS Servers are typically used by smaller ISPs which probably have about 30 percent of all the Internet's dial-in ports, while the larger ISPs, account for approximately 70 percent of dial-in ports, tend to use different remote-access products.

ISS discovered the problems with the Lucent and Merit RADIUS Servers while researching security vulnerabilities in 802.11b wireless LANs, where RADIUS can be used to supplement what ISS views as the weak security measures in the wireless LAN standard.

The buffer-overflow exploit, which is "pretty simple," according to Rouland, may affect other vendor brands of RADIUS Servers that aren't being tested at the moment in the ISS.

Join the newsletter!

Error: Please check your email address.

More about Access ServerIETFInternet Engineering Task ForceInternet Security SystemsISS GroupLucentLucent TechnologiesSecurity SystemsVa LinuxVA Linux SystemsX-Force

Show Comments