Tutorial - dhcpd vulnerabilities

dhcpd vulnerabilities

Updated 1/15/03
CAN 1999-0808
CAN 2002-0702
CAN 2003-0026

Impact

A remote attacker could execute arbitrary commands on the server.

Background

The Dynamic Host Configuration Protocol (DHCP) is used to dynamically assign IP addresses to computers on a network. When a computer is turned on, a DHCP client on the computer sends out a broadcast message requesting an IP address. The DHCP server listens for such broadcasts and creates a lease upon receiving a request. The lease allows the client computer to use a specified IP address for a specified length of time. The DHCP server sends the lease information back to the client, and the client begins using the assigned IP address.

ISC's implementation of DHCP Version 3 and higher supports an option called NSUPDATE which can be used to send information about the DHCP client to the domain name server. This option is enabled by default.

The Problem

1/15/03
CAN 2003-0026
There is a buffer overflow condition affecting the error handling routines in the minires library, which is used by NSUPDATE. This overflow could allow a remote attacker to execute arbitrary commands with root privileges by specifying a long, specially crafted hostname. ISC DHCP 3.0 through 3.0.1rc10 are affected by this vulnerability.

5/9/02
CAN 2002-0702
A second vulnerability is a missing format string in the portion of code which logs the response from the DNS server after an NSUPDATE. A remote attacker could exploit this condition by sending specially crafted data to the DHCP server, resulting in the execution of arbitrary commands with the privileges of the DHCP daemon process (dhcpd), which is typically root. ISC DHCP version 3.0 through 3.0.1rc8 are affected by this vulnerability.

CAN 1999-0808
Older versions of ISC DHCP are also affected by vulnerabilities. Multiple buffer overflow conditions in version 1.0 prior to 1.0pl1 and 2.0 prior to 2.0b1pl1 could allow a remote attacker to crash the service or execute arbitrary commands.

Resolutions

Disable dhcpd if the service is not needed. If it is needed, upgrade to ISC DHCP Version 3.0p2 or Version 3.0.1rc11 or higher, or obtain a fix from your vendor. See CERT Advisories 2002-12 and 2003-01 for information from your vendor. Until a fix can be applied, it would be advisable to deny access to TCP and UDP ports 67 and 68 at the network perimeter.

Where can I read more about this?

These vulnerabilities were announced in CERT Advisories 2002-12 and 2003-01, Next Generation Security Technologies advisory 2002-2, and CIAC Bulletin I-053.