Vulnerability Note VU#410676

ISC DHCP dhclient stack buffer overflow

Original Release date: 14 Jul 2009 | Last revised: 29 Jul 2009

Overview

The ISC DHCP dhclient application contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges.

Description

As described in RFC 2131, "The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network." ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client, and relay agent.

The ISC DHCP client code (dhclient) contains a stack buffer overflow in the script_write_params() method. dhclient fails to check the length of the server-supplied subnet-mask option before copying it into a buffer. According to ISC, the following versions are affected:

    DHCP 4.1 (all versions)
    DHCP 4.0 (all versions)
    DHCP 3.1 (all versions)
    DHCP 3.0 (all versions)
    DHCP 2.0 (all versions)

Impact

A rogue DHCP server may be able to execute arbitrary code with root privileges on a vulnerable client system.

Solution

Apply a patch or update from your vendor
For vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document.

Upgrade your version of DHCP

Upgrade your system as specified by your vendor. If you need to upgrade DHCP manually, according to ISC:

    Upgrade to 4.1.0p1, 4.0.1p1, or 3.1.2p1

    There are no fixes planned for DHCP 3.0 or DHCP 2.0, as those release trains have reached End-Of-Life.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Gentoo LinuxAffected23 Jun 200914 Jul 2009
Internet Security Systems, Inc.Affected23 Jun 200915 Jul 2009
NetBSDAffected23 Jun 200915 Jul 2009
Red Hat, Inc.Affected23 Jun 200916 Jul 2009
UbuntuAffected23 Jun 200914 Jul 2009
Apple Inc.Not Affected23 Jun 200924 Jun 2009
Computer Associates eTrust Security ManagementNot Affected23 Jun 200925 Jun 2009
Force10 Networks, Inc.Not Affected23 Jun 200914 Jul 2009
InfobloxNot Affected23 Jun 200929 Jul 2009
Microsoft CorporationNot Affected23 Jun 200924 Jun 2009
PePLinkNot Affected23 Jun 200920 Jul 2009
QNX, Software Systems, Inc.Not Affected23 Jun 200907 Jul 2009
SafeNetNot Affected23 Jun 200903 Jul 2009
SmoothWallNot Affected23 Jun 200925 Jun 2009
Sun Microsystems, Inc.Not Affected23 Jun 200926 Jun 2009
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by ISC, who in turn credit the Mandriva Linux Engineering Team with discovering and reporting the vulnerability.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2009-0692
  • Date Public: 14 Jul 2009
  • Date First Published: 14 Jul 2009
  • Date Last Updated: 29 Jul 2009
  • Severity Metric: 19.95
  • Document Revision: 27

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.