Vulnerability Note VU#107886

ISC dhclient vulnerability

Original Release date: 05 Apr 2011 | Last revised: 06 May 2011

Overview

The ISC dhclient contains a vulnerability that could allow a remote attacker to execute arbitrary code on the client machine.

Description

According to ISC:

ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client.

Impact

An unauthenticated remote attacker could cause the ISC dhclient to execute arbitrary code on the client machine.

Solution

Apply an update

Users who obtain ISC DHCP from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.

This vulnerability is addressed in ISC DHCP version 3.1-ESV-R1, 4.1-ESV-R2 and 4.2.1-P1. Users of ISC DHCP from the original source distribution should upgrade to this version or later, as appropriate.

See also https://www.isc.org/software/dhcp/advisories/cve-2011-0997

According to ISC:
On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME="no" in /etc/sysconfig/network/dhcp.
Other systems may add following line to dhclient-script at the beginning of the set_hostname() function:

new_host_name=${new_host_name//[^-.a-zA-Z0-9]/}

In environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients
from rogue dhcp servers deliberately trying to exploit this bug. However, this will not protect from compromised servers.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected-25 Apr 2011
Fedora ProjectAffected-25 Apr 2011
Internet Systems ConsortiumAffected-05 Apr 2011
Mandriva S. A.Affected-25 Apr 2011
Red Hat, Inc.Affected-25 Apr 2011
Slackware Linux Inc.Affected-25 Apr 2011
UbuntuAffected-25 Apr 2011
Wind River Systems, Inc.Not Affected08 Apr 201106 May 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Sebastian Krahmer and Marius Tomaschewski at SUSE Security Team for reporting this vulnerability to Internet Systems Consortium.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2011-0997
  • Date Public: 05 Apr 2011
  • Date First Published: 05 Apr 2011
  • Date Last Updated: 06 May 2011
  • Severity Metric: 11.34
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.