A pair of security flaws found in the Internet Systems Consortium’s (ISC) implementation of the DHCP
According to an alert from the U.S. Computer Emergency Response Team (US-CERT), the vulnerabilities were discovered in ISC DHCP versions 3.0.1rc12 and 3.0.1rc13, the de-facto standard for all UNIX and UNIX-like systems, including Linux and BSD.
“All versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code,” US-CERT cautioned.
DHCP, or Dynamic Host Configuration Protocol, provides a framework for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network.
The ISC’s freely-distributed reference implementation supplies hosts with network configuration data and allows a DHCP server to dynamically update a DNS server, eliminating the need for manual updates to the name server configuration
The consortium confirmed the existence of the buffer overflow problems in ISC DHCP Daemon versions 3.0.1 Release Candidates 12 and 13 and urged users to upgrade to versions 3.0.1rc14.
It is not the first time the ISC has been forced to issue a fix for buffer overflows in its DHCP implementation. Last January, multiple vulnerabilities were detected
during an internal source code audit.
The ISC is a nonprofit group that develops production quality Open Source reference implementations of core Internet protocols.