CVE-2003-0967
published 2003-12-15CVE-2003-0967: rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which…
PriorityP420medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
4.64%
90.6th percentile
rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | freeradius | < freeradius 0.9.2-4 (bookworm) | freeradius 0.9.2-4 (bookworm) |
| debian | freeradius | < freeradius 2.0.0-1 (bookworm) | freeradius 2.0.0-1 (bookworm) |
| freeradius | freeradius | <= 1.1.7 | — |
| freeradius | freeradius | <= 0.9.2 | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | — | — |
| freeradius | freeradius | >= 0 < 0.9.2-4 | 0.9.2-4 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
vendor_redhat·2009-09-07·CVSS 5.0
CVE-2009-3111 [MEDIUM] FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.
Debian
CVE-2009-3111: freeradius - The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to ca...
vendor_debian·2009·CVSS 5.0
CVE-2009-3111 [MEDIUM] CVE-2009-3111: freeradius - The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to ca...
The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.
Scope: local
bookworm: resolved (fixed in 2.0.0-1)
bullseye: resolved (fixed in 2.0.0-1)
forky: resolved (fixed in 2.0.0-1)
sid: resolved (fixed in 2.0.0-1)
trixie: resolved (fixed in 2.0.0-1)
Red Hat
security flaw
vendor_redhat·2003-11-20·CVSS 5.0
CVE-2003-0967 [MEDIUM] security flaw
security flaw
rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.
Debian
CVE-2003-0967: freeradius - rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a de...
vendor_debian·2003·CVSS 5.0
CVE-2003-0967 [MEDIUM] CVE-2003-0967: freeradius - rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a de...
rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.
Scope: local
bookworm: resolved (fixed in 0.9.2-4)
bullseye: resolved (fixed in 0.9.2-4)
forky: resolved (fixed in 0.9.2-4)
sid: resolved (fixed in 0.9.2-4)
trixie: resolved (fixed in 0.9.2-4)
GHSA
GHSA-q2fp-fcx5-hff3: The rad_decode function in FreeRADIUS before 1
ghsa_unreviewed·2022-05-02·CVSS 5.0
CVE-2009-3111 [MEDIUM] GHSA-q2fp-fcx5-hff3: The rad_decode function in FreeRADIUS before 1
The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.
GHSA
GHSA-4j6g-2g2g-f47h: rad_decode in FreeRADIUS 0
ghsa_unreviewed·2022-04-29
CVE-2003-0967 [MEDIUM] GHSA-4j6g-2g2g-f47h: rad_decode in FreeRADIUS 0
rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.
OSV
CVE-2009-3111: The rad_decode function in FreeRADIUS before 1
osv·2009-09-09·CVSS 5.0
CVE-2009-3111 [MEDIUM] CVE-2009-3111: The rad_decode function in FreeRADIUS before 1
The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.
OSV
CVE-2003-0967: rad_decode in FreeRADIUS 0
osv·2003-12-15·CVSS 5.0
CVE-2003-0967 [MEDIUM] CVE-2003-0967: rad_decode in FreeRADIUS 0
rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.
No detection rules found.
Bugzilla
CVE-2003-0967 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2003-0967 [MEDIUM] CVE-2003-0967 security flaw
CVE-2003-0967 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.
Bugzilla
CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
bugzilla·2009-09-08·CVSS 5.0
CVE-2009-3111 [MEDIUM] CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
A missing check for proper form of certain attributes was originally
found in the way FreeRADIUS used to decode specific RADIUS attributes
into data structures. A remote attacker could send a specially-crafted
RADIUS packet to the RADIUS server, leading to a denial of service
(radiusd daemon crash), CVE-2003-0967. This flaw was fixed in upstream
0.9.3 version of FreeRADIUS and re-introduced later.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0967
https://www.kb.cert.org/vuls/id/541574
http://rhn.redhat.com/errata/RHSA-2003-386.html
Upstream patch:
http://github.com/alandekok/freeradius-server/commit/860cad9e02ba344edb0038419e415fe05a9a01f4
http://marc.info/?l=bugtraq&m=106935911101493&w=2http://marc.info/?l=bugtraq&m=106944220426970http://marc.info/?l=freeradius-users&m=106947389449613&w=2http://www.redhat.com/support/errata/RHSA-2003-386.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10917http://marc.info/?l=bugtraq&m=106935911101493&w=2http://marc.info/?l=bugtraq&m=106944220426970http://marc.info/?l=freeradius-users&m=106947389449613&w=2http://www.redhat.com/support/errata/RHSA-2003-386.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10917
2003-12-15
Published