CVE-2021-32642

Name of the Vulnerable Software and Affected Versions radsecproxy (affected versions not specified)

Description The issue is related to missing input validation in radsecproxy's naptr-eduroam.sh and radsec-dynsrv.sh scripts, which can lead to configuration injection via crafted radsec peer discovery DNS records. This can result in information disclosure, denial of service, and redirection of the Radius connection to a non-authenticated server, leading to non-authenticated network access.

Recommendations To resolve the issue, update the example scripts to the versions available in the master branch or 1.9 release. Note that these scripts are not part of the installation package and must be updated manually. The updated scripts can be used with any version of radsecproxy. As a temporary workaround, consider restricting the use of the vulnerable scripts until the updated versions are applied.