search menu icon-carat-right cmu-wordmark

CERT Coordination Center


ISC dhclient vulnerability

Vulnerability Note VU#107886

Original Release Date: 2011-04-05 | Last Revised: 2011-05-06

Overview

The ISC dhclient contains a vulnerability that could allow a remote attacker to execute arbitrary code on the client machine.

Description

According to ISC:

ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client.

Impact

An unauthenticated remote attacker could cause the ISC dhclient to execute arbitrary code on the client machine.

Solution

Apply an update

Users who obtain ISC DHCP from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.

This vulnerability is addressed in ISC DHCP version 3.1-ESV-R1, 4.1-ESV-R2 and 4.2.1-P1. Users of ISC DHCP from the original source distribution should upgrade to this version or later, as appropriate.

See also https://www.isc.org/software/dhcp/advisories/cve-2011-0997

According to ISC:
On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME="no" in /etc/sysconfig/network/dhcp.
Other systems may add following line to dhclient-script at the beginning of the set_hostname() function:

new_host_name=${new_host_name//[^-.a-zA-Z0-9]/}

In environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients
from rogue dhcp servers deliberately trying to exploit this bug. However, this will not protect from compromised servers.

Vendor Information

107886
Expand all

Debian GNU/Linux

Updated:  April 25, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.debian.org/security/2011/dsa-2216 http://www.debian.org/security/2011/dsa-2217

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fedora Project

Updated:  April 25, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057888.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058279.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Systems Consortium

Updated:  April 05, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.isc.org/software/dhcp/advisories/cve-2011-0997

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva S. A.

Updated:  April 25, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.mandriva.com/security/advisories?name=MDVSA-2011:073

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Updated:  April 25, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.redhat.com/support/errata/RHSA-2011-0428.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Linux Inc.

Updated:  April 25, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.593345

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Updated:  April 25, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.ubuntu.com/usn/USN-1108-1

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems, Inc.

Notified:  April 08, 2011 Updated:  May 06, 2011

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Sebastian Krahmer and Marius Tomaschewski at SUSE Security Team for reporting this vulnerability to Internet Systems Consortium.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2011-0997
Severity Metric: 11.34
Date Public: 2011-04-05
Date First Published: 2011-04-05
Date Last Updated: 2011-05-06 15:22 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.