ID CVE-2009-3111
Summary The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.
References
Vulnerable Configurations
  • FreeRADIUS 0.9.1
    cpe:2.3:a:freeradius:freeradius:0.9.1
  • FreeRADIUS 0.9.2
    cpe:2.3:a:freeradius:freeradius:0.9.2
  • FreeRADIUS 0.2
    cpe:2.3:a:freeradius:freeradius:0.2
  • FreeRADIUS 0.4
    cpe:2.3:a:freeradius:freeradius:0.4
  • FreeRADIUS 0.3
    cpe:2.3:a:freeradius:freeradius:0.3
  • FreeRADIUS 0.8
    cpe:2.3:a:freeradius:freeradius:0.8
  • FreeRADIUS 0.5
    cpe:2.3:a:freeradius:freeradius:0.5
  • cpe:2.3:a:freeradius:freeradius:0.9
    cpe:2.3:a:freeradius:freeradius:0.9
  • FreeRADIUS 0.8.1
    cpe:2.3:a:freeradius:freeradius:0.8.1
  • FreeRADIUS 0.9.3
    cpe:2.3:a:freeradius:freeradius:0.9.3
  • FreeRADIUS 1.0.0
    cpe:2.3:a:freeradius:freeradius:1.0.0
  • FreeRADIUS 1.0.3
    cpe:2.3:a:freeradius:freeradius:1.0.3
  • FreeRADIUS 1.0.4
    cpe:2.3:a:freeradius:freeradius:1.0.4
  • FreeRADIUS 1.0.1
    cpe:2.3:a:freeradius:freeradius:1.0.1
  • FreeRADIUS 1.1.3
    cpe:2.3:a:freeradius:freeradius:1.1.3
  • FreeRADIUS 1.1.5
    cpe:2.3:a:freeradius:freeradius:1.1.5
  • FreeRADIUS 1.0.5
    cpe:2.3:a:freeradius:freeradius:1.0.5
  • FreeRADIUS 1.1.0
    cpe:2.3:a:freeradius:freeradius:1.1.0
  • FreeRADIUS 1.1.6
    cpe:2.3:a:freeradius:freeradius:1.1.6
  • FreeRADIUS 1.1.7
    cpe:2.3:a:freeradius:freeradius:1.1.7
  • FreeRADIUS 1.0.2
    cpe:2.3:a:freeradius:freeradius:1.0.2
CVSS
Base: 5.0 (as of 10-09-2009 - 09:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
exploit-db via4
description FreeRadius < 1.1.8 Zero-length Tunnel-Password DoS Exploit (CVE-2009-3111). CVE-2009-3111. Dos exploits for multiple platform
id EDB-ID:9642
last seen 2016-02-01
modified 2009-09-11
published 2009-09-11
reporter Matthew Gillespie
source https://www.exploit-db.com/download/9642/
title FreeRadius < 1.1.8 - Zero-length Tunnel-Password DoS Exploit
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2009-006.NASL
    description The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied. This security update contains fixes for the following products : - AFP Client - Adaptive Firewall - Apache - Apache Portable Runtime - ATS - Certificate Assistant - CoreGraphics - CUPS - Dictionary - DirectoryService - Disk Images - Event Monitor - fetchmail - FTP Server - Help Viewer - International Components for Unicode - IOKit - IPSec - libsecurity - libxml - OpenLDAP - OpenSSH - PHP - QuickDraw Manager - QuickLook - FreeRADIUS - Screen Sharing - Spotlight - Subversion
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 42433
    published 2009-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42433
    title Mac OS X Multiple Vulnerabilities (Security Update 2009-006)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FREERADIUS-6528.NASL
    description This update of freeradius fixes a remote denial-of-service bug in function rad_decode() which can be triggered by zero-length Tunnel-Password attributes to make radiusd crash. (CVE-2009-3111)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 49853
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49853
    title SuSE 10 Security Update : freeradius (ZYPP Patch Number 6528)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-832-1.NASL
    description It was discovered that FreeRADIUS did not correctly handle certain malformed attributes. A remote attacker could exploit this flaw and cause the FreeRADIUS server to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 41006
    published 2009-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41006
    title Ubuntu 8.04 LTS : freeradius vulnerability (USN-832-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FREERADIUS-6499.NASL
    description This update of freeradius fixes a remote denial-of-service bug in function rad_decode() which can be triggered by zero-length Tunnel-Password attributes to make radiusd crash. (CVE-2009-3111)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 41966
    published 2009-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41966
    title SuSE 10 Security Update : freeradius (ZYPP Patch Number 6499)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FREERADIUS-6496.NASL
    description This update of freeradius fixes a remote denial-of-service bug in function rad_decode() which can be triggered by zero-length Tunnel-Password attributes to make radiusd crash. (CVE-2009-3111)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 42049
    published 2009-10-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42049
    title openSUSE 10 Security Update : freeradius (freeradius-6496)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-227.NASL
    description A vulnerability has been found and corrected in freeradius : The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes. NOTE: this is a regression error related to CVE-2003-0967 (CVE-2009-3111). This update provides a solution to this vulnerability. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 43851
    published 2010-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43851
    title Mandriva Linux Security Advisory : freeradius (MDVSA-2009:227-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1451.NASL
    description From Red Hat Security Advisory 2009:1451 : Updated freeradius packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially crafted RADIUS packet. (CVE-2009-3111) Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically.
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 67926
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67926
    title Oracle Linux 5 : freeradius (ELSA-2009-1451)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090917_FREERADIUS_ON_SL5_X.NASL
    description CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967 An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially crafted RADIUS packet. (CVE-2009-3111) After installing the update, radiusd will be restarted automatically.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60666
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60666
    title Scientific Linux Security Update : freeradius on SL5.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1451.NASL
    description Updated freeradius packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially crafted RADIUS packet. (CVE-2009-3111) Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 41008
    published 2009-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41008
    title RHEL 5 : freeradius (RHSA-2009:1451)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1451.NASL
    description Updated freeradius packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially crafted RADIUS packet. (CVE-2009-3111) Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43791
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43791
    title CentOS 5 : freeradius (CESA-2009:1451)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12507.NASL
    description This update of freeradius fixes a remote denial-of-service bug in function rad_decode() which can be triggered by zero-length Tunnel-Password attributes to make radiusd crash. (CVE-2009-3111)
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 41964
    published 2009-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41964
    title SuSE9 Security Update : freeradius (YOU Patch Number 12507)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_1B3F854BE4BD11DEB276000D8787E1BE.NASL
    description freeRADIUS Vulnerability Notifications reports : 2009.09.09 v1.1.7 - Anyone who can send packets to the server can crash it by sending a Tunnel-Password attribute in an Access-Request packet. This vulnerability is not otherwise exploitable. We have released 1.1.8 to correct this vulnerability. This issue is similar to the previous Tunnel-Password issue noted below. The vulnerable versions are 1.1.3 through 1.1.7. Version 2.x is not affected.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 43161
    published 2009-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43161
    title FreeBSD : freeradius -- remote packet of death vulnerability (1b3f854b-e4bd-11de-b276-000d8787e1be)
oval via4
accepted 2013-04-29T04:23:19.277-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.
family unix
id oval:org.mitre.oval:def:9919
status accepted
submitted 2010-07-09T03:56:16-04:00
title The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.
version 18
packetstorm via4
data source https://packetstormsecurity.com/files/download/81198/freeradius-dos.txt
id PACKETSTORM:81198
last seen 2016-12-05
published 2009-09-11
reporter Matthew Gillespie
source https://packetstormsecurity.com/files/81198/FreeRadius-Packet-Of-Death.html
title FreeRadius Packet Of Death
redhat via4
advisories
bugzilla
id 521912
title CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhsa:tst:20070055001
  • OR
    • AND
      • comment freeradius is earlier than 0:1.1.3-1.5.el5_4
        oval oval:com.redhat.rhsa:tst:20091451002
      • comment freeradius is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070338014
    • AND
      • comment freeradius-mysql is earlier than 0:1.1.3-1.5.el5_4
        oval oval:com.redhat.rhsa:tst:20091451004
      • comment freeradius-mysql is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070338016
    • AND
      • comment freeradius-postgresql is earlier than 0:1.1.3-1.5.el5_4
        oval oval:com.redhat.rhsa:tst:20091451006
      • comment freeradius-postgresql is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070338020
    • AND
      • comment freeradius-unixODBC is earlier than 0:1.1.3-1.5.el5_4
        oval oval:com.redhat.rhsa:tst:20091451008
      • comment freeradius-unixODBC is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070338018
rhsa
id RHSA-2009:1451
released 2009-09-17
severity Moderate
title RHSA-2009:1451: freeradius security update (Moderate)
rpms
  • freeradius-0:1.1.3-1.5.el5_4
  • freeradius-mysql-0:1.1.3-1.5.el5_4
  • freeradius-postgresql-0:1.1.3-1.5.el5_4
  • freeradius-unixODBC-0:1.1.3-1.5.el5_4
refmap via4
apple APPLE-SA-2009-11-09-1
bid 36263
confirm
misc http://intevydis.com/vd-list.shtml
mlist
  • [freeradius-users] 20090909 Version 1.1.8 has been released
  • [oss-security] 20090909 CVE Request -- FreeRADIUS 1.1.8
secunia 36509
suse
  • SUSE-SR:2009:016
  • SUSE-SR:2009:018
vupen ADV-2009-3184
Last major update 21-08-2010 - 01:35
Published 09-09-2009 - 14:30
Last modified 18-09-2017 - 21:29
Back to Top