Vulnerability Note VU#410676
ISC DHCP dhclient stack buffer overflow
The ISC DHCP dhclient application contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges.
As described in RFC 2131, "The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network." ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client, and relay agent.
The ISC DHCP client code (dhclient) contains a stack buffer overflow in the script_write_params() method. dhclient fails to check the length of the server-supplied subnet-mask option before copying it into a buffer. According to ISC, the following versions are affected:
DHCP 4.0 (all versions)
DHCP 3.1 (all versions)
DHCP 3.0 (all versions)
DHCP 2.0 (all versions)
A rogue DHCP server may be able to execute arbitrary code with root privileges on a vulnerable client system.
Apply a patch or update from your vendor
There are no fixes planned for DHCP 3.0 or DHCP 2.0, as those release trains have reached End-Of-Life.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Gentoo Linux||Affected||23 Jun 2009||14 Jul 2009|
|Internet Security Systems, Inc.||Affected||23 Jun 2009||15 Jul 2009|
|NetBSD||Affected||23 Jun 2009||15 Jul 2009|
|Red Hat, Inc.||Affected||23 Jun 2009||16 Jul 2009|
|Ubuntu||Affected||23 Jun 2009||14 Jul 2009|
|Apple Inc.||Not Affected||23 Jun 2009||24 Jun 2009|
|Computer Associates eTrust Security Management||Not Affected||23 Jun 2009||25 Jun 2009|
|Force10 Networks, Inc.||Not Affected||23 Jun 2009||14 Jul 2009|
|Infoblox||Not Affected||23 Jun 2009||29 Jul 2009|
|Microsoft Corporation||Not Affected||23 Jun 2009||24 Jun 2009|
|PePLink||Not Affected||23 Jun 2009||20 Jul 2009|
|QNX, Software Systems, Inc.||Not Affected||23 Jun 2009||07 Jul 2009|
|SafeNet||Not Affected||23 Jun 2009||03 Jul 2009|
|SmoothWall||Not Affected||23 Jun 2009||25 Jun 2009|
|Sun Microsystems, Inc.||Not Affected||23 Jun 2009||26 Jun 2009|
CVSS Metrics (Learn More)
This vulnerability was reported by ISC, who in turn credit the Mandriva Linux Engineering Team with discovering and reporting the vulnerability.
This document was written by Will Dormann.
- CVE IDs: CVE-2009-0692
- Date Public: 14 Jul 2009
- Date First Published: 14 Jul 2009
- Date Last Updated: 29 Jul 2009
- Severity Metric: 19.95
- Document Revision: 27
If you have feedback, comments, or additional information about this vulnerability, please send us email.