Public Vulnerability Reports

GNU Radius SNMP String Length Integer Overflow Denial of Service Vulnerability



Radius is used for remote user authentication and accounting.

For more information see:


Remote exploitation of an input validation error in version 1.2 of  GNU
radiusd could allow a denial of service.

The vulnerability specifically exists within the asn_decode_string()
function defined in snmplib/asn1.c. When a very large unsigned number is
supplied, it is possible that an integer overflow will occur in the
bounds-checking code. The daemon will then attempt to reference
unallocated memory, resulting in an access violation that causes the
process to terminate.


Successful exploitation allows unauthenticated remote attackers to cause
the radius daemon (radiusd) to crash. This thereby prevents legitimate
users from accessing systems reliant upon the affected radius server for
authentication. This vulnerability does not seem to allow for execution
of code; it is a denial of service condition only. Exploitation requires
that radiusd be compiled with the --enable-snmp option. SNMP support is
not enabled in the default compile.


iDEFENSE has confirmed that GNU Radius 1.1 and 1.2 are vulnerable, if
configured with --enable-snmp at compile time.


Disable SNMP support when building radiusd at compile time. Ingress
filtering of UDP port 161 on all interfaces that should not be receiving
SNMP packets may lessen exposure to this vulnerability in affected


The issue has been addressed in maintenance release version number


The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0849 to these issues. This is a candidate for inclusion
in the CVE list (, which standardizes names for
security problems.


09/10/2004    Initial vendor notification
09/10/2004    Initial vendor response
09/15/2004    Public disclosure


The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research


Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.