The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a vulnerability that introduces several potential buffer overflow conditions. Exploitation of this vulnerability can cause a denial-of-service condition to the DHCP Daemon (DHCPD) and may permit a remote attacker to execute arbitrary code on the system with the privileges of the DHCPD process.
ISC DHCP makes use of the vsnprintf() for writing various log file strings. For systems that do not support vsnprintf(), a C include file was created that defines the vsnprintf() function to vsprintf() as such:
#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
As with VU#317350, all versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code. However, it is not believed that these versions are exploitable because they discard all but the last hostname option provided by the client.
A remote attacker with the ability to send a crafted packet to the DHCPD listening port (typically port 67/UDP), may be able to crash the ISC DHCP daemon, causing a denial of service. It may be possible to execute arbitrary code on the vulnerable server with the privileges of the DHCPD process (typically root).
ISC has released DHCP 3.0.1rc14 which resolves this issue. For systems that do not support vsnprintf(), DHCP now implements it's own bounded function. DHCP will not compile and link if it does not believe that it is linking to a bounds checking function. Versions prior to ISC DHCP 3 are no longer supported. All users of ISC DHCP are encouraged to update to the latest version.
Fedora Project Affected
SuSE Inc. Affected
Apple Computer Inc. Not Affected
Aruba Networks Not Affected
Check Point Not Affected
Cisco Systems Inc. Not Affected
Extreme Networks Not Affected
Hitachi Not Affected
IBM Not Affected
Juniper Networks Not Affected
Microsoft Corporation Not Affected
NetBSD Not Affected
Nominum Not Affected
Red Hat Inc. Not Affected
Redback Networks Inc. Not Affected
Avici Systems Inc. Unknown
Charlotte's Web Networks Unknown
Chiaro Networks Unknown
Cray Inc. Unknown
D-Link Systems Unknown
Data Connection Unknown
EMC Corporation Unknown
F5 Networks Unknown
Foundry Networks Inc. Unknown
Hewlett-Packard Company Unknown
IBM eServer Unknown
Ingrian Networks Unknown
Internet Software Consortium Unknown
Lucent Technologies Unknown
MontaVista Software Unknown
Multi-Tech Systems Inc. Unknown
NEC Corporation Unknown
Nortel Networks Unknown
Openwall GNU/*/Linux Unknown
Riverstone Networks Unknown
Sony Corporation Unknown
Sun Microsystems Inc. Unknown
Wind River Systems Inc. Unknown
Thanks to Gregory Duchemin and Solar Designer for discovering, reporting and resolving this vulnerability. Thanks also to David Hankins of ISC for notifying us of this vulnerability and the technical information provided to create this document.
This document was created by Jason A Rafail and based on the technical information provided by David Hankins of ISC.
|Date First Published:||2004-06-22|
|Date Last Updated:||2004-07-21 14:34 UTC|