CERT/CC Vulnerability Note VU#317350

Overview

The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a buffer overflow vulnerability. Exploitation of this vulnerability can cause a denial of service condition to the DHCP Daemon (DHCPD) and may permit a remote attacker to execute arbitrary code on the system with the privileges of the DHCPD process.

Description

As described in RFC 2131, "the Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network."

ISC DHCPD syslogs every DHCP packet in transactions along with several pieces of descriptive information. The client's DISCOVER and the resulting OFFER, REQUEST, and ACK are all logged as well as any NAKs. In all of these messages, if the client supplied a hostname then it is also included in the logged line. If the client supplies multiple hostname options these options will be concatenated together. If the hostname and options contain only ASCII characters, then the string will pass non-ASCII character filters and be temporarily stored in 1024 byte fixed-length buffers on the stack.

It is possible that if enough hostname options are supplied by the client, and other text is logged in the same line, then the static buffer will be overflown, writing over the stack. If non-ASCII or non-printable characters are supplied, then there are other checks and filters that will prevent this buffer overflow from occuring.

Only ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 are believed to be vulnerable for all operating systems and configurations. All versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code. However, since these versions discard of all but the last hostname option provided by the client, it is not believed that these versions are exploitable.

Impact

A remote attacker with the ability to send a crafted packet to the DHCPD listening port (typically port 67/UDP), may be able to crash the ISC DHCP daemon, causing a denial of service. It may be possible to execute arbitrary code on the vulnerable server with the privileges of the DHCPD process (typically root).

Solution

ISC has released DHCP 3.0.1rc14 which resolves this issue. Versions prior to ISC DHCP 3 are no longer supported. All users of ISC DHCP are encouraged to update to the latest version.

Vendor Information

317350

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Fedora Project Affected

ISC Affected

InfoBlox Affected

MandrakeSoft Affected

SuSE Inc. Affected

Apple Computer Inc. Not Affected

Aruba Networks Not Affected

Notified: June 10, 2004 Updated: June 23, 2004

Status

Not Affected

Vendor Statement

---------------------------------------------------------------------------- Aruba Wireless Networks Security Advisory Title: ISC DHCPD contains a stack buffer overflow vulnerability in handling log lines containing ASCII characters only Aruba Advisory ID: AID-06142004 Revision: 1.0 For Public Release on 06/17/2004 at 19:00 (GMT) References: CAN-2004-0460 / CERT Vulnerability Note VU#317350 ---------------------------------------------------------------------------- SUMMARY It was disclaimed by ISC, via CERT, that some specially crafted DHCP packets could cause a stack overflow and crash ISC based DHCPD. PRODUCTS AND FIRMWARE VERSIONS AFFECTED Hardware: No Aruba Wireless Networks Platform are affected Software: No Aruba available versions are affected DETAILS This issue could cause a stack overflow and eventual crash of the machine running ISC's DHCPd. Although it was not clear if whether or not that overflow could be used to execute arbitrary code, this should not cause a problem on Aruba Wireless Networks products, since they are not affected by the packets described in the CERT notification. IMPACT None. WORKAROUNDS There is no need for a workaround to be implemented. SOLUTION Aruba products were tested against this possible attack and are not vulnerable to it. OBTAINING FIXED FIRMWARES There is no special firmware needed to address the issue described above. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com web:http://www.arubanetworks.com/support Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced athttp://www.kb.cert.org/vulsSTATUS OF THIS NOTICE: Final Although Aruba Wireless networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Wireless Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Wireless Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUCEMENT This advisory will be posted on Aruba's website at http://www.arubanetworks.com/support/wsirt/alerts/AID-06142004.ascIn addition to worldwide web posting, a text version of this notice is clear-signed with the Aruba WSIRT PGP key having the fingerprint AB90 36CE 259C 7BA1 4FAF 62F8 3EF2 6968 39C3 A3C0 and is posted to the following e-mail recipients. * cert@cert.org Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 /06-14-2004 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Wireless Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support/wsirt.phpFor reporting *NEW* Aruba Wireless Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found athttp://www.arubanetworks.com/support/wsirt.php (c) Copyright 2004 by Aruba Wireless Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point Not Affected

Chiaro Networks Not Affected

Cisco Systems Inc. Not Affected

Extreme Networks Not Affected

F5 Networks Not Affected

Hewlett-Packard Company Not Affected

Hitachi Not Affected

IBM Not Affected

Juniper Networks Not Affected

Microsoft Corporation Not Affected

NetBSD Not Affected

Nominum Not Affected

OpenBSD Not Affected

Openwall GNU/*/Linux Not Affected

Red Hat Inc. Not Affected

Redback Networks Inc. Not Affected

Riverstone Networks Not Affected

Sun Microsystems Inc. Not Affected

3Com Unknown

AT&T Unknown

Alcatel Unknown

Avaya Unknown

Avici Systems Inc. Unknown

Charlotte's Web Networks Unknown

Conectiva Unknown

Cray Inc. Unknown

D-Link Systems Unknown

Data Connection Unknown

Debian Unknown

EMC Corporation Unknown

Engarde Unknown

Foundry Networks Inc. Unknown

FreeBSD Unknown

Fujitsu Unknown

Hyperchip Unknown

IBM eServer Unknown

IBM-zSeries Unknown

Immunix Unknown

Ingrian Networks Unknown

Intel Unknown

Lucent Technologies Unknown

Luminous Unknown

MontaVista Software Unknown

Multi-Tech Systems Inc. Unknown

Multinet Unknown

NEC Corporation Unknown

NetScreen Unknown

Network Appliance Unknown

NextHop Unknown

Nokia Unknown

Nortel Networks Unknown

Novell Unknown

SCO Unknown

SGI Unknown

Sequent Unknown

Sony Corporation Unknown

TurboLinux Unknown

Unisys Unknown

Wind River Systems Inc. Unknown

ZyXEL Unknown

View all 67 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Gregory Duchemin and Solar Designer for discovering, reporting and resolving this vulnerability. Thanks also to David Hankins of ISC for notifying us of this vulnerability and the technical information provided to create this document.

This document was created by Jason A Rafail and based on the technical information provided by David Hankins of ISC.

Other Information

CVE IDs:	CVE-2004-0460
Severity Metric:	25.52
Date Public:	2004-06-22
Date First Published:	2004-06-22
Date Last Updated:	2004-07-13 14:38 UTC
Document Revision:	16

Software Engineering Institute

CERT Coordination Center

ISC DHCP contains a stack buffer overflow vulnerability in handling log lines containing ASCII characters only

Vulnerability Note VU#317350

Overview

Description

Impact

Solution

Vendor Information

Fedora Project Affected

ISC Affected

InfoBlox Affected

MandrakeSoft Affected

SuSE Inc. Affected

Apple Computer Inc. Not Affected

Aruba Networks Not Affected

Check Point Not Affected

Chiaro Networks Not Affected

Cisco Systems Inc. Not Affected

Extreme Networks Not Affected

F5 Networks Not Affected

Hewlett-Packard Company Not Affected

Hitachi Not Affected

IBM Not Affected

Juniper Networks Not Affected

Microsoft Corporation Not Affected

NetBSD Not Affected

Nominum Not Affected

OpenBSD Not Affected

Openwall GNU/*/Linux Not Affected

Red Hat Inc. Not Affected

Redback Networks Inc. Not Affected

Riverstone Networks Not Affected

Sun Microsystems Inc. Not Affected

3Com Unknown

AT&T Unknown

Alcatel Unknown

Avaya Unknown