[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] remote root exploit in dhcp server



Topic
=====
- remote root exploit possible on dhcp servers
- denial of Service attack possible against dhcp server

Problem Description
===================
Several vulnerabilities affect the ISC (Internet Software Consortium)
DHCP (Dynamic Host Configuration Protocol) server. DHCP is a protocol
which allows devices to get their own network configuration information
from a server.

1) A vulnerabilities exist in error handling routines within the minires
library and may be exploitable as stack overflows.  This could allow a
remote attacker to execute arbitrary code under the user id the dhcpd
runs under, usually root.

2) When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket.  To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s) [such a packet storm may be
caused by buggy Cisco switches].

Affected Versions
=================
ISC dhcp-3.0

Solution
========
upgrade to patched version for your distribution
currently only Debian provides a patch for problems 1) and 2).
All other upgrade packages listed below only fix problem 1), i.e.,
the remote root exploit.

Debian 3.0 (woody)
------------------
upgrade to dhcp3-common_3.0+3.0.1rc9-2.2_i386.deb,
           dhcp3-server_3.0+3.0.1rc9-2.2_i386.deb,
           dhcp3-client_3.0+3.0.1rc9-2.2_i386.deb,
           dhcp3-relay_3.0+3.0.1rc9-2.2_i386.deb,
           dhcp3-dev_3.0+3.0.1rc9-2.2_i386.deb

SuSE-7.2
--------
rpm -Fvh dhcp-3.0rc4-32.i386.rpm \
         dhcp-devel-3.0rc4-32.i386.rpm \
         dhcrelay-3.0rc4-32.i386.rpm \
         dhclient-3.0rc4-32.i386.rpm

SuSE-7.3
--------
rpm -Fvh dhcp-3.0rc12-56.i386.rpm \
         dhcp-devel-3.0rc12-56.i386.rpm \
         dhcrelay-3.0rc12-56.i386.rpm \
         dhclient-3.0rc12-56.i386.rpm

SuSE-8.0
--------
rpm -Fvh dhcp-base-3.0.1rc6-15.i386.rpm \
         dhcp-server-3.0.1rc6-10.i386.rpm

SuSE-8.1
--------
rpm -Fvh dhcp-base-3.0.1rc9-59.i586.rpm \
         dhcp-server-3.0.1rc9-59.i586.rpm \
         dhcp-devel-3.0.1rc9-59.i586.rpm \
         dhcp-relay-3.0.1rc9-59.i586.rpm \
         dhcp-client-3.0.1rc9-59.i586.rpm

RedHat 8.0
----------
rpm -Fvh dhcp-3.0pl1-15.i386.rpm \
         dhclient-3.0pl1-15.i386.rpm \
         dhcp-devel-3.0pl1-15.i386.rpm

Mandrake 7.2
------------
rpm -Fvh dhcp-3.0b2pl9-4.2mdk.i586.rpm \
         dhcp-client-3.0b2pl9-4.2mdk.i586.rpm \
         dhcp-relay-3.0b2pl9-4.2mdk.i586.rpm

Mandrake 8.1
------------
rpm -Fvh dhcp-server-3.0-0.rc12.2.2mdk.i586.rpm \
         dhcp-common-3.0-0.rc12.2.2mdk.i586.rpm \
         dhcp-client-3.0-0.rc12.2.2mdk.i586.rpm \
         dhcp-relay-3.0-0.rc12.2.2mdk.i586.rpm \
         dhcp-devel-3.0-0.rc12.2.2mdk.i586.rpm

Mandrake 8.2
------------
rpm -Fvh dhcp-server-3.0-1rc8.2.2mdk.i586.rpm \
         dhcp-common-3.0-1rc8.2.2mdk.i586.rpm \
         dhcp-client-3.0-1rc8.2.2mdk.i586.rpm \
         dhcp-relay-3.0-1rc8.2.2mdk.i586.rpm \
         dhcp-devel-3.0-1rc8.2.2mdk.i586.rpm

Mandrake 9.0
------------
rpm -Fvh dhcp-server-3.0-1rc9.3mdk.i586.rpm \
         dhcp-common-3.0-1rc9.3mdk.i586.rpm \
         dhcp-client-3.0-1rc9.3mdk.i586.rpm \
         dhcp-relay-3.0-1rc9.3mdk.i586.rpm \
         dhcp-devel-3.0-1rc9.3mdk.i586.rpm