Vulnerability Note VU#317350
ISC DHCP contains a stack buffer overflow vulnerability in handling log lines containing ASCII characters only
Overview
The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a buffer overflow vulnerability. Exploitation of this vulnerability can cause a denial of service condition to the DHCP Daemon (DHCPD) and may permit a remote attacker to execute arbitrary code on the system with the privileges of the DHCPD process.
Description
As described in RFC 2131, "the Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network." ISC DHCPD syslogs every DHCP packet in transactions along with several pieces of descriptive information. The client's DISCOVER and the resulting OFFER, REQUEST, and ACK are all logged as well as any NAKs. In all of these messages, if the client supplied a hostname then it is also included in the logged line. If the client supplies multiple hostname options these options will be concatenated together. If the hostname and options contain only ASCII characters, then the string will pass non-ASCII character filters and be temporarily stored in 1024 byte fixed-length buffers on the stack. |
Impact
A remote attacker with the ability to send a crafted packet to the DHCPD listening port (typically port 67/UDP), may be able to crash the ISC DHCP daemon, causing a denial of service. It may be possible to execute arbitrary code on the vulnerable server with the privileges of the DHCPD process (typically root). |
Solution
ISC has released DHCP 3.0.1rc14 which resolves this issue. Versions prior to ISC DHCP 3 are no longer supported. All users of ISC DHCP are encouraged to update to the latest version. |
Systems Affected (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Fedora Project | Affected | 10 Jun 2004 | 22 Jun 2004 |
InfoBlox | Affected | 11 Jun 2004 | 13 Jul 2004 |
ISC | Affected | - | 22 Jun 2004 |
MandrakeSoft | Affected | 10 Jun 2004 | 23 Jun 2004 |
SuSE Inc. | Affected | 10 Jun 2004 | 23 Jun 2004 |
Apple Computer Inc. | Not Affected | 10 Jun 2004 | 22 Jun 2004 |
Aruba Networks | Not Affected | 10 Jun 2004 | 23 Jun 2004 |
Check Point | Not Affected | 11 Jun 2004 | 22 Jun 2004 |
Chiaro Networks | Not Affected | 11 Jun 2004 | 22 Jun 2004 |
Cisco Systems Inc. | Not Affected | 10 Jun 2004 | 24 Jun 2004 |
Extreme Networks | Not Affected | 11 Jun 2004 | 22 Jun 2004 |
F5 Networks | Not Affected | 11 Jun 2004 | 22 Jun 2004 |
Hewlett-Packard Company | Not Affected | 10 Jun 2004 | 22 Jun 2004 |
Hitachi | Not Affected | - | 22 Jun 2004 |
IBM | Not Affected | 10 Jun 2004 | 22 Jun 2004 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
- None
Credit
Thanks to Gregory Duchemin and Solar Designer for discovering, reporting and resolving this vulnerability. Thanks also to David Hankins of ISC for notifying us of this vulnerability and the technical information provided to create this document.
This document was created by Jason A Rafail and based on the technical information provided by David Hankins of ISC.
Other Information
- CVE IDs: CAN-2004-0460
- Date Public: 22 Jun 2004
- Date First Published: 22 Jun 2004
- Date Last Updated: 13 Jul 2004
- Severity Metric: 25.51
- Document Revision: 16
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.