The DHCP daemon (DHCPD) is a server that is used to allocate network addresses and assign configuration parameters to dynamically configured hosts. A format string vulnerability may permit an intruder to execute code with the privileges of the DHCP daemon (typically root).
The Internet Software Consortium (ISC) produces a DHCP server. DHCPD listens for requests from client machines connecting to the network. Versions 3 to 3.0.1rc8 inclusive of DHCPD contain an option (NSUPDATE) that is compiled in by default. NSUPDATE allows the DHCP server to send an update to the DNS server after processing a DHCP request. The DNS server responds by sending a message back to the DHCP server. The response from the DNS server can contain user-supplied data. When this message is received, the DHCP server logs the transaction. A format string vulnerability exists in the DHCPD code that logs the transaction. This vulnerability may permit an attacker to execute code with the privileges of the DHCP daemon.
A remote attacker can execute arbitrary code on the vulnerable host with the privileges of the DHCP server (DHCPD), typically root.
Obtain a patch from vendor.
If you cannot upgrade, apply the following patch.
--- common/print.c Tue Apr 9 13:41:17 2002
Apple Computer Inc. Not Affected
Cray Inc. Not Affected
F5 Networks Not Affected
Fujitsu Limited Not Affected
Hewlett-Packard Company Not Affected
IBM Not Affected
Lotus Development Corporation Not Affected
Microsoft Corporation Not Affected
NEC Corporation Not Affected
Nortel Networks Not Affected
Red Hat Inc. Not Affected
SGI Not Affected
Sun Microsystems Inc. Not Affected
Xerox Not Affected
CacheFlow Inc. Unknown
Check Point Unknown
Cisco Systems Inc. Unknown
Compaq Computer Corporation Unknown
Computer Associates Unknown
Data General Unknown
Guardian Digital Inc. Unknown
Inktomi Corporation Unknown
Sony Corporation Unknown
The SCO Group (SCO Linux) Unknown
The SCO Group (SCO UnixWare) Unknown
Wind River Systems Inc. Unknown
The CERT Coordination Center acknowledges Next Generation Security Technologies as the discoverer of this vulnerability and thanks them and The Internet Software Consortium (ISC) for their cooperation, reporting and analysis of this vulnerability.
This document was written by Ian A. Finlay.