CERT/CC Vulnerability Note VU#448384

Overview

The Internet Systems Consortium (ISC) Dynamic Host Configuration Protocol (DHCP) application contains a format string vulnerability in errwarn.c that could allow an attacker to execute arbitrary code.

Description

As described in RFC 2131, "The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network." ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client, and relay agent.

The code that handles error and warning messages (errwarn.c) contains several instances of a format string vulnerability. An insufficient number of parameters is passed to the syslog function, which creates the format string vulnerability. The vulnerable code is used by the DHCP client, server, and relay.

Impact

A remote, unauthenticated attacker may be able to execute code on the DHCP server with the privileges of the DHCPD process (typically root). An attacker may also be able to execute code on a system running the DHCP client or agent, since these also use the vulnerable code in errwarn.c.

Solution

Apply a patch or update from your vendor
For vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document.

Upgrade your version of DHCP

Upgrade your system as specified by your vendor. If you need to upgrade DHCP manually, get DHCP 3.0.1. This vulnerability affects DHCP 2.0pl5 and prior, and 3.0b1-pl17 and prior.

Ingress filtering

It may be possible to limit the scope of this vulnerability by blocking access to DHCP services at the network perimeter.

Ingress filtering manages the flow of traffic as it enters a network under your administrative control. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For DHCP, ingress filtering of the following ports can prevent attackers outside of your network from reaching vulnerable devices in the local network that are not explicitly authorized to provide public DHCP services.

bootps 67/tcp # Bootstrap Protocol Server
bootps 67/udp # Bootstrap Protocol Server
bootpc 68/tcp # Bootstrap Protocol Client
bootpc 68/udp # Bootstrap Protocol Client

Vendor Information

448384

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

ISC Affected

MontaVista Software Affected

Red Hat Inc. Affected

Hitachi Not Affected

NEC Corporation Not Affected

SGI Not Affected

Apple Computer Inc. Unknown

Conectiva Unknown

Cray Inc. Unknown

Debian Unknown

EMC Corporation Unknown

Engarde Unknown

F5 Networks Unknown

FreeBSD Unknown

Fujitsu Unknown

IBM Unknown

IBM eServer Unknown

IBM-zSeries Unknown

Immunix Unknown

Ingrian Networks Unknown

Juniper Networks Unknown

MandrakeSoft Unknown

Microsoft Corporation Unknown

NETBSD Unknown

Nokia Unknown

Novell Unknown

OpenBSD Unknown

Openwall GNU/*/Linux Unknown

SCO Unknown

Sequent Unknown

Sony Corporation Unknown

SuSE Inc. Unknown

Sun Microsystems Inc. Unknown

TurboLinux Unknown

Unisys Unknown

Wind River Systems Inc. Unknown

View all 36 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was publicly disclosed by infamous41md.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2004-1006
Severity Metric:	10.26
Date Public:	2004-11-08
Date First Published:	2005-03-09
Date Last Updated:	2005-08-01 14:17 UTC
Document Revision:	20

Software Engineering Institute

CERT Coordination Center

ISC DHCP contains a format string vulnerabilty in errwarn.c

Vulnerability Note VU#448384