CERT Warns of DHCP Vulnerability
Page 1 of 1
A format string bug has been detected in the Dynamic Host Configuration Protocol Daemon (DHCPD) server that may permit a remote attacker to execute code on vulnerable servers, the CERT Coordination Center warned on Wednesday.
The vulnerability in the format string in the DHCPD, which is used to allocate network addresses and assign configuration parameters to hosts, would allow an attacker to execute code, with the privileges of the DHCPD process.
In an advisory, CERT said it had not seen active scanning or exploitation of this vulnerability but urged that the DCHP service be disabled until vendor patches are implemented.
"As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Depending on your network configuration, you may not need to use DHCP," the Center said, urging that the scope of the vulnerability be limited by blocking access to DHCP services at the network perimeter.
The ISC has released version 3.0 of the DHCP protocol, which is available on its Web site.
Networking firms Alcatel and Conectiva confirmed the security vulnerability and promised updates with fixes. "Alcatel is aware of this security issue in the DHCP implementation of ISC and has put measures in place to assess which of its products might be affected and to apply the necessary fixes where required. An update will be shortly published to provide more details on any affected products," the company said.
Conectiva said its Linux 8 ships dhcp-3.0 and is therefore vulnerable to this problem and promised updates on its ftp site.
Products shipped by Microsoft, IBM, Silicon Graphics, F5 Networks, NetBSD and Lotus Development Corp. are not affected by the vulnerability. The FreeBSD base system does not ship with the ISC DHCPD server by default and is not affected
However, the ISC DHCPD server is available in the FreeBSD Ports Collection and the company said updates are in progress and corrected packages would be available soon.
The ISC's DHCPD listens for requests from client machines connecting to the network. Versions 3 to 3.0.1rc8 (inclusive) of DHCPD contains an option (NSUPDATE) that is enabled by default. In its advisory, CERT says the NSUPDATE allows the DHCP server to send information about the host to the DNS server after processing a DHCP request. The DNS server responds by sending an acknowledgement message back to the DHCP server that may contain user-supplied data (like a host name). When the DHCP server receives the acknowledgement message from the DNS server, it logs the transaction.
It is within that format string that the vulnerability wad detected, the Center said.