Vulnerability Note VU#284857

ISC DHCPD minires library contains multiple buffer overflows

Original Release date: 15 Jan 2003 | Last revised: 26 Mar 2003

Overview

The Internet Software Consortium (ISC) has discovered several buffer overflow vulnerabilities in their implementation of DHCP (ISC DHCPD). These vulnerabilities may allow remote attackers to execute arbitrary code on affected systems. At this time, we are not aware of any exploits.

Description

There are multiple remote buffer overflow vulnerabilities in the ISC implementation of DHCP. As described in RFC 2131, "the Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network." In addition to supplying hosts with network configuration data, ISC DHCPD allows the DHCP server to dynamically update a DNS server, obviating the need for manual updates to the name server configuration. Support for dynamic DNS updates is provided by the NSUPDATE feature.

During an internal source code audit, developers from the ISC discovered several vulnerabilities in the error handling routines of the minires library, which is used by NSUPDATE to resolve hostnames. These vulnerabilities are stack-based buffer overflows that may be exploitable by sending a DHCP message containing a large hostname value. Note: Although the minires library is derived from the BIND 8 resolver library, these vulnerabilities do not affect any current versions of BIND.

Impact

Remote attackers may be able to execute arbitrary code with the privileges of the user running ISC DHCPD.

Solution

Upgrade or apply a patch

The ISC has addressed these vulnerabilities in versions 3.0pl2 and 3.0.1RC11 of ISC DHCPD. If your software vendor supplies ISC DHCPD as part of an operating system distribution, please see the vendor section of this document.

Disable dynamic DNS updates (NSUPDATE)

As an interim measure, the ISC recommends disabling the NSUPDATE feature on affected DHCP servers.

Block external access to DHCP server ports

As an interim measure, it is possible to limit exposure to these vulnerabilities by restricting external access to affected DHCP servers on the following ports:

    bootps      67/tcp      # Bootstrap Protocol Server
    bootps      67/udp      # Bootstrap Protocol Server
    bootpc      68/tcp      # Bootstrap Protocol Client
    bootpc      68/udp      # Bootstrap Protocol Client

Disable the DHCP service

As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Depending on your network configuration, you may not need to use DHCP.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
BSDIAffected26 Nov 200215 Jan 2003
ConectivaAffected26 Nov 200228 Jan 2003
DebianAffected26 Nov 200220 Jan 2003
Gentoo LinuxAffected17 Jan 200320 Jan 2003
ISCAffected15 Nov 200215 Jan 2003
MandrakeSoftAffected26 Nov 200220 Jan 2003
OpenPKGAffected16 Jan 200320 Jan 2003
Red Hat Inc.Affected26 Nov 200215 Jan 2003
SlackwareAffected19 Jan 200321 Jan 2003
SuSE Inc.Affected26 Nov 200220 Jan 2003
AlcatelNot Affected26 Nov 200226 Mar 2003
Apple Computer Inc.Not Affected26 Nov 200215 Jan 2003
Cisco Systems Inc.Not Affected26 Nov 200215 Jan 2003
Cray Inc.Not Affected26 Nov 200215 Jan 2003
FujitsuNot Affected26 Nov 200220 Jan 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks David Hankins of the Internet Software Consortium for notifying us about this problem and for helping us to construct this document. We also thank Jacques A. Vidrine for drawing attention to this issue.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2003-0026
  • CERT Advisory: CA-2003-01
  • Date Public: 15 Jan 2003
  • Date First Published: 15 Jan 2003
  • Date Last Updated: 26 Mar 2003
  • Severity Metric: 5.27
  • Document Revision: 20

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.