Vulnerability Note VU#854315
ISC DHCPD contains format string vulnerability when logging DNS-update requests
Overview
The DHCP daemon (DHCPD) is a server that is used to allocate network addresses and assign configuration parameters to dynamically configured hosts. A format string vulnerability may permit an intruder to execute code with the privileges of the DHCP daemon (typically root).
Description
The Internet Software Consortium (ISC) produces a DHCP server. DHCPD listens for requests from client machines connecting to the network. Versions 3 to 3.0.1rc8 inclusive of DHCPD contain an option (NSUPDATE) that is compiled in by default. NSUPDATE allows the DHCP server to send an update to the DNS server after processing a DHCP request. The DNS server responds by sending a message back to the DHCP server. The response from the DNS server can contain user-supplied data. When this message is received, the DHCP server logs the transaction. A format string vulnerability exists in the DHCPD code that logs the transaction. This vulnerability may permit an attacker to execute code with the privileges of the DHCP daemon. |
Impact
A remote attacker can execute arbitrary code on the vulnerable host with the privileges of the DHCP server (DHCPD), typically root. |
Solution
Obtain a patch from vendor. |
If you cannot upgrade, apply the following patch. --- common/print.c Tue Apr 9 13:41:17 2002 |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Alcatel | Affected | 07 May 2002 | 29 May 2002 |
| Conectiva | Affected | - | 13 May 2002 |
| FreeBSD | Affected | 06 May 2002 | 07 May 2002 |
| ISC | Affected | - | 08 May 2002 |
| NetBSD | Affected | 06 May 2002 | 08 May 2002 |
| Apple Computer Inc. | Not Affected | 06 May 2002 | 14 May 2002 |
| Cray Inc. | Not Affected | 06 May 2002 | 13 May 2002 |
| F5 Networks | Not Affected | 07 May 2002 | 08 May 2002 |
| Fujitsu Limited | Not Affected | 06 May 2002 | 14 May 2002 |
| Hewlett-Packard Company | Not Affected | 06 May 2002 | 08 May 2002 |
| IBM | Not Affected | 06 May 2002 | 07 May 2002 |
| Lotus Development Corporation | Not Affected | 07 May 2002 | 08 May 2002 |
| Microsoft Corporation | Not Affected | 07 May 2002 | 08 May 2002 |
| NEC Corporation | Not Affected | 06 May 2002 | 14 May 2002 |
| Nortel Networks | Not Affected | 07 May 2002 | 09 May 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt
- http://www.isc.org/products/DHCP/
- http://www.securityfocus.com/bid/4701
Credit
The CERT Coordination Center acknowledges Next Generation Security Technologies as the discoverer of this vulnerability and thanks them and The Internet Software Consortium (ISC) for their cooperation, reporting and analysis of this vulnerability.
This document was written by Ian A. Finlay.
Other Information
- CVE IDs: CAN-2002-0702
- CERT Advisory: CA-2002-12
- Date Public: 08 May 2002
- Date First Published: 08 May 2002
- Date Last Updated: 13 Jan 2003
- Severity Metric: 46.17
- Document Revision: 47
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.