Date: Fri, 29 Mar 2024 11:39:02 -0400 (EDT) Message-ID: <2003800675.51.1711726742137@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_50_1967563648.1711726742135" ------=_Part_50_1967563648.1711726742135 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history can be found at the end of this file.
The Internet Software Consortium (ISC) provides a Dynamic Host Con= figuration Protocol Daemon (DHCPD), which is a server that is used to a= llocate network addresses and assign configuration parameters to hosts. A f= ormat string vulnerability may permit a remote attacker to execute code wit= h the privileges of the DHCPD (typically root). We have not seen active sca= nning or exploitation of this vulnerability.
ISC's DHCPD listens for requests from client machines connecting to the = network. Versions 3 to 3.0.1rc8 (inclusive) of DHCPD contains an option (NS= UPDATE) that is enabled by default. NSUPDATE allows the DHCP server to send= information about the host to the DNS server after processing a DHCP reque= st. The DNS server responds by sending an acknowledgement message back to t= he DHCP server that may contain user-supplied data (like a host name). When= the DHCP server receives the acknowledgement message from the DNS server, = it logs the transaction.
A format string vulnerability exists in ISC's DHCPD code that logs the t= ransaction. This vulnerability may permit a remote attacker to execute code= with the privileges of the DHCP daemon.
A remote attacker may be able to execute code with the privileges of the= DHCPD (typically root).
Note that some of the mitigation steps recommended below may have signif= icant impact on your normal network operations. Ensure that any changes mad= e based on the following recommendations will not unacceptably affect any o= f your operations.
Appendix A contains information provided by ven= dors for this advisory.
As a general rule, the CERT/CC recommends disabling any service or capab= ility that is not explicitly required. Depending on your network configurat= ion, you may not need to use DHCP.
As a temporary measure, it may be possible to limit the scope of this vu= lnerability by blocking access to DHCP services at the network perimeter.= p>
Ingress filtering manages the flow of traffic as it enters a network und= er your administrative control. In the network usage policy of many sites, = there are few reasons for external hosts to initiate inbound traffic to mac= hines that provide no public services. Thus, ingress filtering should be pe= rformed at the border to prohibit externally initiated inbound traffic to n= on-authorized services. For DHCP, ingress filtering of the following ports = can prevent attackers outside of your network from reaching vulnerable devi= ces in the local network that are not explicitly authorized to provide publ= ic DHCP services.
bootps 67/tc=
p # Bootstrap Protocol Server
bootps 67/udp # =
Bootstrap Protocol Server
bootpc 68/tcp # =
Bootstrap Protocol Client
bootpc 68/udp # =
Bootstrap Protocol Client
This appendix contains information provided by vendors for this advisory= . As vendors report new information to the CERT/CC, we will update this sec= tion and note the changes in our revision history. If a particular vendor i= s not listed below, please check the Vulnerability Note (VU#854315) or contact your vendor direc= tly.
= a>Following the recent CERT advisory on security vulnerabilities in the IS= C DHCP implementation, Alcatel has conducted an immediate assessment to det= ermine any impact this may have on our portfolio. A first analysis has show= n that only one customer-specific product was affected. Alcatel is working = with that customer on a solution. The security of our customers' networks i= s of highest priority for Alcatel. Therefore we continue to test our produc= t portfolio against potential ISC DHCP security vulnerabilities and will pr= ovide updates if necessary.
Mac OS X does not contain this vulnerability.
Please see the Conectiva Linux Announcement.
Cray, Inc. is not vulnerable since dhcp is not supported under Unicos or= Unicos/mk.
=F5 Networks' products do not include any affected version of ISC's DHCPD= , and are therefore not vulnerable.
=The FreeBSD base system does not ship with the ISC dhcpd server by defau= lt and is not affected by this vulnerability. The ISC dhcpd server is avail= able in the FreeBSD Ports Collection; updates to the ISC dhcp port (ports/n= et/isc-dhcp3) are in progress and corrected packages will be available in t= he near future.
Fujitsu's UXP/V operating system is not vulnerable. UXP/V does not suppo= rt dhcp.
HP-UX is not vulnerable.
IBM's AIX operating system, all versions, is not vulnerable.
= a>A patch is included below, and we have a patched version of 3.0 availabl= e (3.0pl1) and a new release candidate for the next bug-fix release (3.0.1R= C9). Both of these new releases are not vulnerable.
--- common/print.c Tue Apr 9 13:41:17 2002
+++ common/print.c.patched Tue Apr 9 13:41:56 20= 02
@@ -1366,8 +1366,8 @@
*s++ =3D '.';
*s++ =3D 0;
if (errorp)
- log_error (obuf);
+ log_error ("%s",obuf);<= br> else
- log_info (obuf);
+ log_info ("%s",obuf); }
#endif /* NSUPDATE */
This issue does not affect Lotus products.
Microsoft does not ship the ISC DHCPD program.
<= /a>EWS/UP 48 Series is NOT vulnerable.
NetBSD fixed this during a format string sweep performed on 11-Oct-2000.= No released version of NetBSD is vulnerable to this issue.
<= /a>Nortel Networks products are not impacted by this vulnerability.
<= /a>Novell does not ship ISC's DHCPD.
Red Hat Linux has never been shipped with version 3 of dhcpd and therefo= re none of our releases are vulnerable to this issue.
SGI is not vulnerable.
= a>Sun is not vulnerable as Solaris does not ship the ISC DHCPD and does no= t use any of the ISC DHCPD source in its version of DHCPD.
Xerox is aware of this advisory. A response is available from our = web site: http://www.xerox.com/se= curity .
The CERT Coordination Center acknowledges Next Generation Security Techn= ologies as the discoverer of this vulnerability and thanks them and the Internet= Software Consortium (ISC) for their cooperation, reporting, and analysis o= f this vulnerability.
Feedback can be directed to the author: Ian A. Finlay
Copyright 2002 Carnegie Mellon University.
Revision History
May 08, 2002: Initial release May 09, 2002: Added vendor statement for Nortel Networks Limited May 10, 2002: Revised vendor statement for Conectiva May 13, 2002: Added vendor statement for Cray Inc. May 14, 2002: Added vendor statement for Fujitsu Limited May 14, 2002: Added vendor statement for Apple Computer, Inc. May 14, 2002: Added vendor statement for NEC Corporation May 23, 2002: Added vendor statement for Novell May 29, 2002: Revised vendor statement for Alcatel May 31, 2002: Added vendor statement for Sun Microsystems Jun 11, 2002: Added vendor statement for Red Hat, Inc. Aug 21, 2002: Added vendor statement for Xerox Oct 07, 2002: Fixed link for Xerox