CERT Warns of DHCP Vulnerability

A format string bug has been detected in the Dynamic Host
Configuration Protocol Daemon (DHCPD) server that may permit a remote
attacker to execute code on vulnerable servers, the CERT Coordination Center warned on Wednesday.

The vulnerability in the format string in the DHCPD, which is used to
allocate network addresses and assign configuration parameters to hosts,
would allow an attacker to execute code, with the privileges of the DHCPD
process.

In an advisory,
CERT
said it had not seen active scanning or exploitation of this vulnerability
but urged that the DCHP service be disabled until vendor patches are
implemented.

“As a general rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required. Depending on your network
configuration, you may not need to use DHCP,” the Center said, urging that
the scope of the vulnerability be limited by blocking access to DHCP
services at the network perimeter.

Systems potentially affected includes the Internet Software Consortium‘s ISC DHCPD 3.0 to
3.0.1rc8.

The ISC has released version 3.0 of the DHCP protocol, which is available on
its Web site.

Networking firms Alcatel and Conectiva confirmed the security vulnerability
and promised updates with fixes. “Alcatel is aware of this security issue
in the DHCP implementation of ISC and has put measures in place to assess
which of its products might be affected and to apply the necessary fixes
where required. An update will be shortly published to provide more details
on any affected products,” the company said.

Conectiva said its Linux 8 ships dhcp-3.0 and is therefore vulnerable to
this problem and promised updates on its ftp site.

Products shipped by Microsoft, IBM, Silicon Graphics, F5 Networks, NetBSD
and Lotus Development Corp. are not affected by the vulnerability. The
FreeBSD base system does not ship with the ISC DHCPD server by default and
is not affected

However, the ISC DHCPD server is available in the FreeBSD Ports Collection
and the company said updates are in progress and corrected packages would be
available soon.

The ISC’s DHCPD listens for requests from client machines connecting to the
network. Versions 3 to 3.0.1rc8 (inclusive) of DHCPD contains an option
(NSUPDATE) that is enabled by default. In its advisory, CERT says the
NSUPDATE allows the DHCP server to send information about the host to the
DNS server after processing a DHCP request. The DNS server responds by
sending an acknowledgement message back to the DHCP server that may contain
user-supplied data (like a host name). When the DHCP server receives the
acknowledgement message from the DNS server, it logs the transaction.

It is within that format string that the vulnerability wad detected, the
Center said.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web