Vulnerability Note VU#854315

ISC DHCPD contains format string vulnerability when logging DNS-update requests

Overview

The DHCP daemon (DHCPD) is a server that is used to allocate network addresses and assign configuration parameters to dynamically configured hosts. A format string vulnerability may permit an intruder to execute code with the privileges of the DHCP daemon (typically root).

I. Description

The Internet Software Consortium (ISC) produces a DHCP server. DHCPD listens for requests from client machines connecting to the network. Versions 3 to 3.0.1rc8 inclusive of DHCPD contain an option (NSUPDATE) that is compiled in by default. NSUPDATE allows the DHCP server to send an update to the DNS server after processing a DHCP request. The DNS server responds by sending a message back to the DHCP server. The response from the DNS server can contain user-supplied data. When this message is received, the DHCP server logs the transaction. A format string vulnerability exists in the DHCPD code that logs the transaction. This vulnerability may permit an attacker to execute code with the privileges of the DHCP daemon.

II. Impact

A remote attacker can execute arbitrary code on the vulnerable host with the privileges of the DHCP server (DHCPD), typically root.

III. Solution

Obtain a patch from vendor.

If you cannot upgrade, apply the following patch.

--- common/print.c Tue Apr 9 13:41:17 2002
+++ common/print.c.patched Tue Apr 9 13:41:56 2002
@@ -1366,8 +1366,8 @@
*s++ = '.';
*s++ = 0;
if (errorp)
- log_error (obuf);
+ log_error ("%s",obuf);
else
- log_info (obuf);
+ log_info ("%s",obuf);
}
#endif /* NSUPDATE */

Systems Affected

Vendor	Status	Date Notified
3Com	Unknown	7-May-2002
Alcatel	Vulnerable	29-May-2002
Apple Computer Inc.	Not Vulnerable	14-May-2002
AT&T	Unknown	7-May-2002
Avaya	Unknown	7-May-2002
BSDI	Unknown	6-May-2002
CacheFlow Inc.	Unknown	7-May-2002
Check Point	Unknown	15-May-2002
Cisco Systems Inc.	Unknown	7-May-2002
Compaq Computer Corporation	Unknown	6-May-2002
Computer Associates	Unknown	7-May-2002
Conectiva	Vulnerable	13-May-2002
Cray Inc.	Not Vulnerable	13-May-2002
Data General	Unknown	6-May-2002
Debian	Unknown	6-May-2002
Dell	Unknown	7-May-2002
F5 Networks	Not Vulnerable	8-May-2002
FreeBSD	Vulnerable	7-May-2002
Fujitsu Limited	Not Vulnerable	14-May-2002
Guardian Digital Inc.	Unknown	6-May-2002
Hewlett-Packard Company	Not Vulnerable	8-May-2002
Honeywell	Unknown	7-May-2002
IBM	Not Vulnerable	7-May-2002
Inktomi Corporation	Unknown	7-May-2002
ISC	Vulnerable	8-May-2002
Lantronix	Unknown	7-May-2002
Linksys	Unknown	7-May-2002
Lotus Development Corporation	Not Vulnerable	8-May-2002
MandrakeSoft	Unknown	6-May-2002
Marconi	Unknown	7-May-2002
Microsoft Corporation	Not Vulnerable	8-May-2002
NEC Corporation	Not Vulnerable	14-May-2002
NetBSD	Vulnerable	8-May-2002
Nortel Networks	Not Vulnerable	9-May-2002
Novell	Unknown	15-May-2002
OpenBSD	Unknown	6-May-2002
Oracle	Unknown	7-May-2002
Red Hat Inc.	Not Vulnerable	31-May-2002
Sequent	Unknown	6-May-2002
SGI	Not Vulnerable	6-May-2002
Sony Corporation	Unknown	6-May-2002
Sun Microsystems Inc.	Not Vulnerable	10-Jun-2002
The SCO Group (SCO Linux)	Unknown	6-May-2002
The SCO Group (SCO UnixWare)	Unknown	6-May-2002
Unisys	Unknown	6-May-2002
Verilink	Unknown	7-May-2002
Wind River Systems Inc.	Unknown	7-May-2002
Xerox	Not Vulnerable	19-Jul-2002

References

http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt
http://www.isc.org/products/DHCP/
http://www.securityfocus.com/bid/4701

Credit

The CERT Coordination Center acknowledges Next Generation Security Technologies as the discoverer of this vulnerability and thanks them and The Internet Software Consortium (ISC) for their cooperation, reporting and analysis of this vulnerability.

This document was written by Ian A. Finlay.

Other Information

Date Public:	2002-05-08
Date First Published:	2002-05-08
Date Last Updated:	2003-01-13
CERT Advisory:	CA-2002-12
CVE-ID(s):	CAN-2002-0702
NVD-ID(s):	CAN-2002-0702
US-CERT Technical Alerts:
Metric:	46.17
Document Revision:	47

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader