Buffer Overflow via Crafted IPv6 Addr Attribute Type Client Request in Accel-PPP v1.12

Vulnerability

The rad_packet_recv function in opt/src/accel-pppd/radius/packet.c suffers from a buffer overflow vulnerability. The user-supplied length field in a RADIUS packet is copied into a fixed buffer &attr->val.integer without any bounds checking. This affects all versions prior to the fix. If an attacker connects to the server and sends a large RADIUS packet, a buffer overflow will be triggered. The vulnerability is specifically reachable when the attribute type is one of ipv4addr, ipv6addr, ipv6prefix, or ifid [1].

Exploitation

An attacker does not need authentication; they only need network access to send a crafted RADIUS packet to the server. By providing an overly long attribute length in the packet that uses one of the mentioned attribute types, the attacker can cause a buffer overflow. The overflow occurs during the copying of data into the fixed buffer within rad_packet_recv [1].

Impact

Successful exploitation could lead to denial of service due to memory corruption, or potentially arbitrary code execution depending on system memory protections. The attacker can corrupt adjacent memory, which may allow further compromise of the RADIUS server or the system it runs on [1].

Mitigation

The vulnerability is fixed in pull request #35 on the Accel-PPP GitHub repository [1]. The fix was submitted on 2022-02-14. Users should update to a version containing the patch. No known workarounds are documented. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the update.