CVE-2004-2163

Vulnerability

The login_radius program in OpenBSD (versions 3.2, 3.5, and possibly others) does not validate the shared secret in RADIUS authentication response packets. This flaw allows the program to accept spoofed replies from an attacker without proper verification, bypassing intended RADIUS security controls.

Exploitation

An attacker with network access to the victim's RADIUS infrastructure can send crafted RADIUS Access-Accept packets that are accepted without a valid shared secret. No prior authentication is needed. The attacker simply spoofs a legitimate RADIUS server's response during the authentication process.

Impact

Successful exploitation allows the attacker to bypass authentication checks, gaining unauthorized access to network resources or services that rely on RADIUS for authentication. This effectively undermines access control, potentially leading to full compromise of affected systems.

Mitigation

OpenBSD released a security patch for this issue, available in the OpenBSD 3.5 errata [1]. Systems running affected versions should apply the patch or update to a fixed release. No workaround is documented; patching is recommended.