dhcpd vulnerabilities
Updated 1/15/03
CAN 1999-0808
CAN 2002-0702
CAN 2003-0026
Impact
A remote attacker could execute arbitrary commands on the
server.
Background
The Dynamic
Host Configuration Protocol (DHCP) is used to dynamically
assign IP addresses to computers on a network. When a computer is
turned on, a DHCP client on the computer sends out a broadcast message
requesting an IP address. The DHCP server listens for
such broadcasts and creates a lease upon receiving a
request. The lease allows the client computer to use a specified
IP address for a specified length of time. The DHCP server sends
the lease information back to the client, and the client begins
using the assigned IP address.
ISC's implementation of
DHCP Version 3 and higher
supports an option called NSUPDATE which can be used
to send information about the DHCP client to the domain name
server. This option is enabled by default.
The Problem
1/15/03
CAN 2003-0026
There is a buffer overflow condition affecting the error
handling routines in the minires library, which is used by
NSUPDATE. This overflow could allow a remote attacker to
execute arbitrary commands with root privileges
by specifying a long, specially
crafted hostname. ISC DHCP 3.0 through 3.0.1rc10 are
affected by this vulnerability.
5/9/02
CAN 2002-0702
A second vulnerability is a missing format string in
the portion of code which logs the response from the DNS
server after an NSUPDATE.
A remote attacker could exploit this condition by sending
specially crafted data to the DHCP server, resulting in
the execution of arbitrary commands with the
privileges of the DHCP daemon process (dhcpd),
which is typically root. ISC DHCP version 3.0 through
3.0.1rc8 are affected by this vulnerability.
CAN 1999-0808
Older versions of ISC DHCP are also affected by
vulnerabilities. Multiple buffer overflow conditions in
version 1.0 prior to 1.0pl1 and 2.0 prior to 2.0b1pl1
could allow a remote attacker to crash the service or
execute arbitrary commands.
Resolutions
Disable dhcpd if the service is not needed.
If it is needed, upgrade to ISC DHCP
Version 3.0p2 or
Version 3.0.1rc11
or higher, or obtain a fix from your vendor. See
CERT Advisories
2002-12 and
2003-01
for information from your vendor. Until a fix can be applied,
it would be advisable to deny access to TCP and UDP ports
67 and 68 at the network perimeter.
Where can I read more about this?
These vulnerabilities were announced in CERT Advisories
2002-12 and
2003-01,
Next Generation Security Technologies advisory 2002-2, and
CIAC Bulletin I-053.