CVE-2013-4147 in YARD RADIUS
Summary
by MITRE
Multiple format string vulnerabilities in Yet Another Radius Daemon (YARD RADIUS) 1.1.2 allow context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via format string specifiers in a request in the (1) log_msg function in log.c or (2) version or (3) build_version function in version.c.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/14/2025
The vulnerability identified as CVE-2013-4147 affects Yet Another Radius Daemon version 1.1.2, a widely used RADIUS server implementation that authenticates network access requests. This daemon operates as a critical component in network security infrastructures, handling authentication, authorization, and accounting functions for various network services. The vulnerability stems from improper input validation within the daemon's logging and version reporting mechanisms, creating a dangerous condition where maliciously crafted requests can trigger unexpected behavior in the application's memory management.
Multiple format string vulnerabilities exist within the YARD RADIUS daemon's codebase, specifically within three distinct functions that handle different operational contexts. The first vulnerability occurs in the log_msg function located in log.c, where user-supplied input is directly processed without proper sanitization before being passed to printf-style functions. The second vulnerability is found in the version function within version.c, while the third exists in the build_version function in the same file. These functions are invoked during normal daemon operations when processing authentication requests, making them prime targets for exploitation by context-dependent attackers who understand the daemon's operational flow.
The technical nature of these vulnerabilities aligns with CWE-134, which describes format string vulnerabilities where format specifiers in user-controlled input can be exploited to manipulate program execution flow. When attackers craft malicious requests containing format string specifiers, they can cause the daemon to read or write memory locations arbitrarily, potentially leading to stack corruption that results in crashes or more severe exploitation. The context-dependent nature of the vulnerability means that exploitation requires specific conditions where the daemon receives crafted input through legitimate network authentication channels, making it particularly dangerous in environments where RADIUS servers handle sensitive network access requests.
The operational impact of this vulnerability extends beyond simple denial of service conditions, as the potential for arbitrary code execution presents a significant security risk to network infrastructures. When exploited successfully, attackers could gain unauthorized access to network resources, escalate privileges, or disrupt critical authentication services that rely on the RADIUS daemon for access control. The vulnerability affects the daemon's ability to maintain stable operation during authentication processing, which could lead to complete service disruption for network users attempting to access protected resources. Network administrators must consider the cascading effects of such exploitation, as compromised RADIUS servers could provide attackers with persistent access to network resources.
Mitigation strategies for CVE-2013-4147 should focus on immediate patching of the affected YARD RADIUS daemon version 1.1.2, with updates that properly sanitize input before format string processing. Organizations should implement network segmentation and access controls to limit exposure of RADIUS servers to untrusted networks, while also monitoring for anomalous authentication request patterns that could indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1190 for exploitation of remote services, emphasizing the need for network-level defenses including firewalls and intrusion detection systems. Additionally, implementing proper input validation and using secure coding practices such as snprintf instead of sprintf in the affected functions would prevent similar vulnerabilities from occurring in future implementations. Organizations should also consider conducting vulnerability assessments to identify other instances of format string vulnerabilities within their network infrastructure components, as these types of flaws often appear in legacy network services that remain in production environments.