SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#284857

ISC DHCPD minires library contains multiple buffer overflows

Overview

The Internet Software Consortium (ISC) has discovered several buffer overflow vulnerabilities in their implementation of DHCP (ISC DHCPD). These vulnerabilities may allow remote attackers to execute arbitrary code on affected systems. At this time, we are not aware of any exploits.

I. Description

There are multiple remote buffer overflow vulnerabilities in the ISC implementation of DHCP. As described in RFC 2131, "the Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network." In addition to supplying hosts with network configuration data, ISC DHCPD allows the DHCP server to dynamically update a DNS server, obviating the need for manual updates to the name server configuration. Support for dynamic DNS updates is provided by the NSUPDATE feature.

During an internal source code audit, developers from the ISC discovered several vulnerabilities in the error handling routines of the minires library, which is used by NSUPDATE to resolve hostnames. These vulnerabilities are stack-based buffer overflows that may be exploitable by sending a DHCP message containing a large hostname value. Note: Although the minires library is derived from the BIND 8 resolver library, these vulnerabilities do not affect any current versions of BIND.

II. Impact

Remote attackers may be able to execute arbitrary code with the privileges of the user running ISC DHCPD.

III. Solution

Upgrade or apply a patch

The ISC has addressed these vulnerabilities in versions 3.0pl2 and 3.0.1RC11 of ISC DHCPD. If your software vendor supplies ISC DHCPD as part of an operating system distribution, please see the vendor section of this document.

Disable dynamic DNS updates (NSUPDATE)

As an interim measure, the ISC recommends disabling the NSUPDATE feature on affected DHCP servers.

Block external access to DHCP server ports

As an interim measure, it is possible to limit exposure to these vulnerabilities by restricting external access to affected DHCP servers on the following ports:

    bootps      67/tcp      # Bootstrap Protocol Server
    bootps      67/udp      # Bootstrap Protocol Server
    bootpc      68/tcp      # Bootstrap Protocol Client
    bootpc      68/udp      # Bootstrap Protocol Client
Disable the DHCP service

As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Depending on your network configuration, you may not need to use DHCP.

Systems Affected
VendorStatusDate NotifiedDate Updated
AlcatelNot Vulnerable26-Mar-2003
Apple Computer Inc.Not Vulnerable15-Jan-2003
AT&TUnknown15-Jan-2003
AvayaUnknown15-Jan-2003
BSDIVulnerable15-Jan-2003
Cisco Systems Inc.Not Vulnerable15-Jan-2003
Computer AssociatesUnknown15-Jan-2003
ConectivaVulnerable28-Jan-2003
Cray Inc.Not Vulnerable15-Jan-2003
D-Link SystemsUnknown15-Jan-2003
Data GeneralUnknown15-Jan-2003
DebianVulnerable20-Jan-2003
F5 NetworksUnknown15-Jan-2003
FreeBSDUnknown15-Jan-2003
FujitsuNot Vulnerable20-Jan-2003
Gentoo LinuxVulnerable20-Jan-2003
Guardian Digital Inc. Unknown15-Jan-2003
Hewlett-Packard CompanyNot Vulnerable15-Jan-2003
HitachiNot Vulnerable15-Jan-2003
IBMNot Vulnerable15-Jan-2003
Ingrian Networks Not Vulnerable25-Mar-2003
IntelUnknown15-Jan-2003
ISCVulnerable15-Jan-2003
Juniper NetworksUnknown15-Jan-2003
LachmanUnknown15-Jan-2003
Lotus Software Unknown15-Jan-2003
Lucent Technologies Unknown15-Jan-2003
MandrakeSoftVulnerable20-Jan-2003
Microsoft CorporationNot Vulnerable28-Jan-2003
MontaVista SoftwareNot Vulnerable15-Jan-2003
Multi-Tech Systems Inc.Unknown15-Jan-2003
NEC CorporationNot Vulnerable15-Jan-2003
NetBSDNot Vulnerable15-Jan-2003
NetScreenNot Vulnerable15-Jan-2003
Network ApplianceUnknown15-Jan-2003
NokiaUnknown15-Jan-2003
Nortel NetworksUnknown15-Jan-2003
OpenBSDNot Vulnerable15-Jan-2003
OpenPKGVulnerable20-Jan-2003
Openwall GNU/*/LinuxNot Vulnerable15-Jan-2003
Red Hat Inc.Vulnerable15-Jan-2003
Redback Networks Inc.Unknown15-Jan-2003
Riverstone NetworksNot Vulnerable15-Jan-2003
SequentUnknown15-Jan-2003
SGIUnknown15-Jan-2003
SlackwareVulnerable21-Jan-2003
Sony CorporationUnknown15-Jan-2003
Sun Microsystems Inc.Not Vulnerable15-Jan-2003
SuSE Inc.Vulnerable20-Jan-2003
The SCO Group (SCO Linux)Unknown15-Jan-2003
The SCO Group (SCO UnixWare)Unknown15-Jan-2003
UnisysUnknown15-Jan-2003
Wind River Systems Inc.Unknown15-Jan-2003
WirexUnknown15-Jan-2003
Xerox Corporation Not Vulnerable26-Mar-2003

References


http://www.isc.org/products/DHCP/
http://www.ietf.org/rfc/rfc2131.txt

Credit

The CERT Coordination Center thanks David Hankins of the Internet Software Consortium for notifying us about this problem and for helping us to construct this document. We also thank Jacques A. Vidrine for drawing attention to this issue.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public:2003-01-15
Date First Published:2003-01-15
Date Last Updated:2003-03-26
CERT Advisory:CA-2003-01
CVE-ID(s):CAN-2003-0026
NVD-ID(s):CAN-2003-0026
US-CERT Technical Alerts: 
Metric:5.27
Document Revision:20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader