SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#448384

ISC DHCP contains a format string vulnerabilty in errwarn.c

Overview

The Internet Systems Consortium (ISC) Dynamic Host Configuration Protocol (DHCP) application contains a format string vulnerability in errwarn.c that could allow an attacker to execute arbitrary code.

I. Description

As described in RFC 2131, "The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network." ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client, and relay agent.

The code that handles error and warning messages (errwarn.c) contains several instances of a format string vulnerability. An insufficient number of parameters is passed to the syslog function, which creates the format string vulnerability. The vulnerable code is used by the DHCP client, server, and relay.

II. Impact

A remote, unauthenticated attacker may be able to execute code on the DHCP server with the privileges of the DHCPD process (typically root). An attacker may also be able to execute code on a system running the DHCP client or agent, since these also use the vulnerable code in errwarn.c.

III. Solution

Apply a patch or update from your vendor

For vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document.

Upgrade your version of DHCP

Upgrade your system as specified by your vendor. If you need to upgrade DHCP manually, get DHCP 3.0.1. This vulnerability affects DHCP 2.0pl5 and prior, and 3.0b1-pl17 and prior.

Ingress filtering

It may be possible to limit the scope of this vulnerability by blocking access to DHCP services at the network perimeter.

Ingress filtering manages the flow of traffic as it enters a network under your administrative control. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For DHCP, ingress filtering of the following ports can prevent attackers outside of your network from reaching vulnerable devices in the local network that are not explicitly authorized to provide public DHCP services.

bootps 67/tcp # Bootstrap Protocol Server
bootps 67/udp # Bootstrap Protocol Server
bootpc 68/tcp # Bootstrap Protocol Client
bootpc 68/udp # Bootstrap Protocol Client

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Unknown17-Dec-2004
ConectivaUnknown17-Dec-2004
Cray Inc.Unknown17-Dec-2004
DebianUnknown17-Dec-2004
EMC CorporationUnknown17-Dec-2004
EngardeUnknown17-Dec-2004
F5 NetworksUnknown17-Dec-2004
FreeBSDUnknown17-Dec-2004
FujitsuUnknown17-Dec-2004
HitachiNot Vulnerable22-Dec-2004
IBMUnknown17-Dec-2004
IBM-zSeriesUnknown17-Dec-2004
IBM eServerUnknown17-Dec-2004
ImmunixUnknown17-Dec-2004
Ingrian NetworksUnknown17-Dec-2004
ISCVulnerable16-Dec-2004
Juniper NetworksUnknown17-Dec-2004
MandrakeSoftUnknown17-Dec-2004
Microsoft CorporationUnknown17-Dec-2004
MontaVista SoftwareVulnerable17-Dec-2004
NEC CorporationNot Vulnerable9-Mar-2005
NETBSDUnknown17-Dec-2004
NokiaUnknown17-Dec-2004
NovellUnknown17-Dec-2004
OpenBSDUnknown17-Dec-2004
Openwall GNU/*/LinuxUnknown17-Dec-2004
Red Hat Inc.Vulnerable1-Aug-2005
SCOUnknown17-Dec-2004
SequentUnknown17-Dec-2004
SGINot Vulnerable22-Dec-2004
Sony CorporationUnknown17-Dec-2004
Sun Microsystems Inc.Unknown17-Dec-2004
SuSE Inc.Unknown17-Dec-2004
TurboLinuxUnknown17-Dec-2004
UnisysUnknown17-Dec-2004
Wind River Systems Inc.Unknown17-Dec-2004

References


http://www.securityfocus.com/bid/11591
http://xforce.iss.net/xforce/xfdb/17963
http://osvdb.org/displayvuln.php?osvdb_id=11527
http://marc.theaimsgroup.com/?l=dhcp-announce&m=109996073218290&w=2

Credit

This vulnerability was publicly disclosed by infamous41md.

This document was written by Will Dormann.

Other Information

Date Public:2004-11-08
Date First Published:2005-03-09
Date Last Updated:2005-08-01
CERT Advisory: 
CVE-ID(s):CAN-2004-1006
NVD-ID(s):CAN-2004-1006
US-CERT Technical Alerts: 
Metric:10.26
Document Revision:20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader