search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

ISC DHCPD minires library contains multiple buffer overflows

Vulnerability Note VU#284857

Original Release Date: 2003-01-15 | Last Revised: 2003-03-26

Overview

The Internet Software Consortium (ISC) has discovered several buffer overflow vulnerabilities in their implementation of DHCP (ISC DHCPD). These vulnerabilities may allow remote attackers to execute arbitrary code on affected systems. At this time, we are not aware of any exploits.

Description

There are multiple remote buffer overflow vulnerabilities in the ISC implementation of DHCP. As described in RFC 2131, "the Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network." In addition to supplying hosts with network configuration data, ISC DHCPD allows the DHCP server to dynamically update a DNS server, obviating the need for manual updates to the name server configuration. Support for dynamic DNS updates is provided by the NSUPDATE feature.

During an internal source code audit, developers from the ISC discovered several vulnerabilities in the error handling routines of the minires library, which is used by NSUPDATE to resolve hostnames. These vulnerabilities are stack-based buffer overflows that may be exploitable by sending a DHCP message containing a large hostname value. Note: Although the minires library is derived from the BIND 8 resolver library, these vulnerabilities do not affect any current versions of BIND.

Impact

Remote attackers may be able to execute arbitrary code with the privileges of the user running ISC DHCPD.

Solution

Upgrade or apply a patch

The ISC has addressed these vulnerabilities in versions 3.0pl2 and 3.0.1RC11 of ISC DHCPD. If your software vendor supplies ISC DHCPD as part of an operating system distribution, please see the vendor section of this document.

Disable dynamic DNS updates (NSUPDATE)

As an interim measure, the ISC recommends disabling the NSUPDATE feature on affected DHCP servers.

Block external access to DHCP server ports

As an interim measure, it is possible to limit exposure to these vulnerabilities by restricting external access to affected DHCP servers on the following ports:

bootps      67/tcp      # Bootstrap Protocol Server
bootps      67/udp      # Bootstrap Protocol Server
bootpc      68/tcp      # Bootstrap Protocol Client
bootpc      68/udp      # Bootstrap Protocol Client

Disable the DHCP service

As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Depending on your network configuration, you may not need to use DHCP.

Vendor Information

284857
 
Expand all

View all 55 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT Coordination Center thanks David Hankins of the Internet Software Consortium for notifying us about this problem and for helping us to construct this document. We also thank Jacques A. Vidrine for drawing attention to this issue.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2003-0026
CERT Advisory: CA-2003-01
Severity Metric: 5.27
Date Public: 2003-01-15
Date First Published: 2003-01-15
Date Last Updated: 2003-03-26 19:11 UTC
Document Revision: 20

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis