search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ISC "dhcrelay" fails to limit hop count when malicious bootp packet is received

Vulnerability Note VU#149953

Original Release Date: 2003-02-04 | Last Revised: 2003-05-30

Overview

A vulnerability in the Internet Software Consortium's "dhcrelay" makes it possible for a remote attacker to use dhcrelay to launch a denial-of-service attack against a victim dhcp server.

Description

The Internet Software Consortium (ISC) produces a "freely redistributable reference implementation of all aspects of the DHCP protocol, through a suite of tools." One of these tools is a dhcp relay agent (dhcrelay). From the dhcrelay man page:

The Internet Software Consortium DHCP Relay Agent, dhcrelay, provides a means for relaying DHCP and BOOTP requests from a subnet to which no DHCP server is directly connected to one or more DHCP servers on other subnets. The DHCP Relay Agent listens for DHCP and BOOTP queries and responses. When a query is received from a client, dhcrelay forwards it to the list of DHCP servers specified on the command line. When a reply is received from a server, it is broadcast or unicast (according to the relay agent's ability or the client's request) on the network from which the original request came.
A vulnerability exists in the way dhcrelay processes incoming bootp requests. This vulnerability can allow a remote attacker to launch a denial-of-service attack against DHCP servers configured to communicate with the dhcrelay host. Debian Security Advisory DSA 245-1 succinctly summarizes the problem:
When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s).

Impact

A remote attacker can use dhcrelay to launch a denial-of-service attack against DHCP servers configured to communicate with the dhcrelay host.

Solution

Apply a patch from your vendor.

Vendor Information

149953
 
Affected   Unknown   Unaffected

Conectiva Linux

Updated:  April 07, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000616.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Updated:  February 04, 2003

Status

  Vulnerable

Vendor Statement

See http://www.debian.org/security/2003/dsa-245.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Software Consortium

Notified:  February 04, 2003 Updated:  February 05, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG

Updated:  February 26, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@openpkg.org                         openpkg@openpkg.org
OpenPKG-SA-2003.012                                          19-Feb-2003
________________________________________________________________________

Package:             dhcpd
Vulnerability:       denial of service (packet storm)
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= dhcpd-3.0.1rc11-20030116 >= dhcpd-3.0.1rc11-20030219
OpenPKG 1.2          <= dhcpd-3.0.1rc11-1.2.0    >= dhcpd-3.0.1rc11-1.2.1
OpenPKG 1.1          <= dhcpd-3.0.1rc9-1.1.1     >= dhcpd-3.0.1rc9-1.1.2

Affected Releases:   Dependent Packages: none

Description:
 Florian Lohoff discovered a bug [0] in dhcrelay which is part of the
 ISC DHCP Distribution [1]. The bug is causing the relay agent to
 send a continuing packet storm towards the configured DHCP server(s)
 in case of a malicious BOOTP packet. The Common Vulnerabilities and
 Exposures (CVE) project assigned the id CAN-2003-0039 [2] to the
 problem.

  Our update does not ultimately fix the root cause of the problem.
 However, it improves dhcrelay's compliance to RFC1542 [10] by
 rigorously supporting the requirements listed in section "4.1.1
 BOOTREQUEST Messages" and thus limiting havoc wreaked to the network:

  "The relay agent MUST silently discard BOOTREQUEST messages whose
 'hops' field exceeds the value 16. A configuration option SHOULD be
 provided to set this threshold to a smaller value if desired by the
 network manager. The default setting for a configurable threshold
 SHOULD be 4."

  The added configuration option is named "-c". Its default value to 4
 and the allowed range of the value is between 0 and 16.

  Please check whether you are affected by running "<prefix>/bin/rpm
 -q dhcpd". If you have the "dhcpd" package installed and its version
 is affected (see above), we recommend that you immediately upgrade
 it (see Solution). [3][4]

Solution:
 Select the updated source RPM appropriate for your OpenPKG release
 [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
 location, verify its integrity [9], build a corresponding binary RPM
 from it [3] and update your OpenPKG installation by applying the binary
 RPM [4]. For the current release OpenPKG 1.1, perform the following
 operations to permanently fix the security problem (for other releases
 adjust accordingly).

  $ ftp ftp.openpkg.org
 ftp> bin
 ftp> cd release/1.2/UPD
 ftp> get dhcpd-3.0.1rc11-1.2.1.src.rpm
 ftp> bye
 $ <prefix>/bin/rpm -v --checksig dhcpd-3.0.1rc11-1.2.1.src.rpm
 $ <prefix>/bin/rpm --rebuild dhcpd-3.0.1rc11-1.2.1.src.rpm
 $ su -
 # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/dhcpd-3.0.1rc11-1.2.1.*.rpm
________________________________________________________________________

References:
 [0]
http://marc.theaimsgroup.com/?l=bugtraq&m=104310927813830&w=2
 [1]
http://www.isc.org/products/DHCP/dhcp-v3.html
 [2]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0039
 [3]
http://www.openpkg.org/tutorial.html#regular-source
 [4]
http://www.openpkg.org/tutorial.html#regular-binary
 [5]
ftp://ftp.openpkg.org/release/1.1/UPD/dhcpd-3.0.1rc9-1.1.2.src.rpm
 [6]
ftp://ftp.openpkg.org/release/1.2/UPD/dhcpd-3.0.1rc11-1.2.1.src.rpm
 [7]
ftp://ftp.openpkg.org/release/1.1/UPD/
 [8]
ftp://ftp.openpkg.org/release/1.2/UPD/
 [9]
http://www.openpkg.org/security.html#signature
 [10]
ftp://ftp.rfc-editor.org/in-notes/rfc1542.txt
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (
http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iD8DBQE+U5MDgHWT4GPEy58RAu2qAKDMZ71rpxv4YgazQQw2fSi2mlfTIACfflr6
OF+yy6uSaCRuw/RlzUVzhic=
=kWcV
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Updated:  April 01, 2003

Status

  Vulnerable

Vendor Statement

Red Hat Linux 8.0 shipped with a dhcp package vulnerable to these issues. Updated dhcp packages are now available along with our advisory at the URL below. Other distributions of Red Hat Linux and Red Hat Enterprise Linux are not vulnerable to this issue. Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Linux:
http://rhn.redhat.com/errata/RHSA-2003-034.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Updated:  February 05, 2003

Status

  Not Vulnerable

Vendor Statement

Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Updated:  February 13, 2003

Status

  Not Vulnerable

Vendor Statement

Cisco Systems products are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  February 04, 2003 Updated:  February 05, 2003

Status

  Not Vulnerable

Vendor Statement

Source:

Hewlett-Packard Company Software Security Response Team

HP-UX - not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable

To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Notified:  February 04, 2003 Updated:  February 05, 2003

Status

  Not Vulnerable

Vendor Statement

Ingrian platforms are not succeptable to VU149953.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Updated:  February 05, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Lotus does not distribute a dhcrelay server.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Updated:  February 04, 2003

Status

  Not Vulnerable

Vendor Statement

NetApp products are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Corporation

Updated:  May 30, 2003

Status

  Not Vulnerable

Vendor Statement

A response to this advisory is available from our web site: http://www.xerox.com/security

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 12 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was discovered by Florian Lohoff and reported to the BugTraq mailing list on January 15, 2003.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2003-0039
Severity Metric: 8.10
Date Public: 2003-01-15
Date First Published: 2003-02-04
Date Last Updated: 2003-05-30 16:44 UTC
Document Revision: 17

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.