WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

ISC DHCPD NSUPDATE MiniRes Library Remote Buffer Overflow Vulnerabilities

Risk
High

Date Discovered
01-15-2003

Description
Multiple buffer overflow vulnerabilities have been reported for the ISC DHCPD service. The vulnerability occurs when the DHCP server is configured to dynamically update records. The vulnerability exists in the library used by NSUPDATE to resolve hostnames.

An attacker can exploit these vulnerabilities by sending a malformed DHCP message containing an overly large hostname value. This will trigger the buffer overflow condition and any embedded attacker-supplied code may be executed.

Platforms Affected
Caldera OpenLinux Server 3.1
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Workstation 3.1
Caldera OpenLinux Workstation 3.1.1
Conectiva Linux 8.0
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.5
Gentoo Linux 1.4 _rc1
Gentoo Linux 1.4 _rc2
MandrakeSoft Linux Mandrake 7.2
MandrakeSoft Linux Mandrake 8.1
MandrakeSoft Linux Mandrake 8.1 ia64
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 8.2 ppc
MandrakeSoft Linux Mandrake 9.0
MandrakeSoft Multi Network Firewall 8.2
MandrakeSoft Single Network Firewall 7.2
OpenPKG OpenPKG Current
OpenPKG OpenPKG 1.0
OpenPKG OpenPKG 1.1
RedHat Linux 8.0
RedHat Linux 8.0 i386
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.2 i386
S.u.S.E. Linux 7.3
S.u.S.E. Linux 7.3 i386
S.u.S.E. Linux 7.3 ppc
S.u.S.E. Linux 7.3 sparc
S.u.S.E. Linux 8.0
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.1
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux Database Server
S.u.S.E. Linux Enterprise Server 7
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. SuSE eMail Server III

Components Affected
ISC DHCPD 3.0 rc4
ISC DHCPD 3.0 rc12
ISC DHCPD 3.0 pl1
ISC DHCPD 3.0 b2pl9
ISC DHCPD 3.0 b2pl23
ISC DHCPD 3.0
ISC DHCPD 3.0.1 rc9
ISC DHCPD 3.0.1 rc8
ISC DHCPD 3.0.1 rc7
ISC DHCPD 3.0.1 rc6
ISC DHCPD 3.0.1 rc5
ISC DHCPD 3.0.1 rc4
ISC DHCPD 3.0.1 rc3
ISC DHCPD 3.0.1 rc2
ISC DHCPD 3.0.1 rc10
ISC DHCPD 3.0.1 rc1

Recommendations
Disable all unnecessary services.
If not explicitly needed, it is best to disable the DHCP service.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Use a firewall to filter traffic to TCP/UDP ports 67 and 68.

Limit access to sensitive ethernet segments.
Physical security should be in place to limit unauthorized individuals from gaining access to sensitive ethernet segments.

Implement multiple redundant layers of security.
Use of measures such as StackGuard and non-executable stack configurations may help to limit exploitability of this and other latent stack-based buffer overflow vulnerabilities.

Modify default configuration files, to disable any unwanted behaviour.
Modify the ISC DHCPD configuration files to disable dynamic DNS updates. This will effectively prevent exploitation of this vulnerability.

SuSE reportedly ships with vulnerable packages. An advisory and fixes are forthcoming.

BSD/OS is prone to this issue. The vulnerability is addressed by the M431-001 and M500-004 patches for the 4.3.1 and 5.0 versions of BSD/OS. Users should contact the vendor for further information about obtaining and applying fixes.

OpenPKG has released an advisory containing updated dhcpd packages which address this issue. OpenPKG CURRENT is addressed by the dhcpd-3.0.1rc11-20030116 package, OpenPKG 1.1 is addressed by the dhcpd-3.0.1rc9-1.1.1 package and OpenPKG 1.0 is addressed by the dhcpd-3.0.1rc4-1.0.1 package.

Gentoo Linux has released an advisory. Users who have installed net-misc/dhcp are advised to upgrade their systems to dhcp-3.0_p2 by issuing the following commands:

emerge sync
emerge -u dhcp
emerge clean

Debian has made fixes available. See referenced advisory DSA 231-1 for additional details.

SuSE has released an advisory. Information about obtaining and applying fixes for SuSE Linux are available in the referenced advisory.

The following fixes are available:


ISC DHCPD 3.0 rc4:

ISC RPM dhcp-devel-3.0rc4-32.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/dhcp-devel-3.0rc4-32.i386.rpm

ISC DHCPD 3.0 rc12:
ISC RPM dhcp-devel-3.0rc12-39.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/dhcp-devel-3.0rc12-39.ppc.rpm
ISC RPM dhcp-devel-3.0rc12-26.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/dhcp-devel-3.0rc12-26.sparc.rpm
ISC RPM dhcrelay-3.0rc12-56.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/dhcrelay-3.0rc12-56.i386.rpm

ISC DHCPD 3.0 pl1:
ISC Upgrade dhcp-3.0pl2.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0pl2.tar.gz
ISC RPM dhclient-3.0pl1-15.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/dhclient-3.0pl1-15.i386.rpm
ISC RPM dhcp-devel-3.0pl1-15.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/dhcp-devel-3.0pl1-15.i386.rpm
ISC RPM dhcp-3.0pl1-15.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/dhcp-3.0pl1-15.i386.rpm

ISC DHCPD 3.0 b2pl9:
ISC RPM dhcp-relay-3.0b2pl9-4.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-client-3.0b2pl9-4.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-3.0b2pl9-4.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php

ISC DHCPD 3.0 b2pl23:
ISC RPM dhcp-relay-3.0b2pl23-2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-client-3.0b2pl23-2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-3.0b2pl23-2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php

ISC DHCPD 3.0:
ISC Upgrade dhcp-3.0pl2.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0pl2.tar.gz
ISC RPM dhcp-server-3.0-1rc8.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-relay-3.0-1rc8.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-common-3.0-1rc8.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-client-3.0-1rc8.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-server-3.0-1rc9.3mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-relay-3.0-1rc9.3mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-devel-3.0-1rc9.3mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-common-3.0-1rc9.3mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-client-3.0-1rc9.3mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-server-3.0-1rc8.2.2mdk.ppc.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-relay-3.0-1rc8.2.2mdk.ppc.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-devel-3.0-1rc8.2.2mdk.ppc.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-common-3.0-1rc8.2.2mdk.ppc.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-client-3.0-1rc8.2.2mdk.ppc.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-server-3.0-1rc8.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-relay-3.0-1rc8.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-devel-3.0-1rc8.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-common-3.0-1rc8.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-client-3.0-1rc8.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-server-3.0-0.rc12.2.2mdk.ia64.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-relay-3.0-0.rc12.2.2mdk.ia64.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-devel-3.0-0.rc12.2.2mdk.ia64.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-common-3.0-0.rc12.2.2mdk.ia64.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-client-3.0-0.rc12.2.2mdk.ia64.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-server-3.0-0.rc12.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-relay-3.0-0.rc12.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-devel-3.0-0.rc12.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-common-3.0-0.rc12.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
ISC RPM dhcp-client-3.0-0.rc12.2.2mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php

ISC DHCPD 3.0.1 rc9:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz
ISC RPM dhcp-server-3.0.1rc9-59.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/dhcp-server-3.0.1rc9-59.i586.patch.rpm
ISC RPM dhcp-server-3.0.1rc9-59.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/dhcp-server-3.0.1rc9-59.i586.rpm

ISC DHCPD 3.0.1 rc8:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz

ISC DHCPD 3.0.1 rc7:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz

ISC DHCPD 3.0.1 rc6:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz
ISC RPM dhcp-base-3.0.1rc6-15.i386.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/dhcp-base-3.0.1rc6-15.i386.patch.rpm
ISC RPM dhcp-base-3.0.1rc6-15.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/dhcp-base-3.0.1rc6-15.i386.rpm

ISC DHCPD 3.0.1 rc5:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz

ISC DHCPD 3.0.1 rc4:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz

ISC DHCPD 3.0.1 rc3:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz

ISC DHCPD 3.0.1 rc2:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz

ISC DHCPD 3.0.1 rc10:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz

ISC DHCPD 3.0.1 rc1:
ISC Upgrade dhcp-3.0.1rc11.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1rc11.tar.gz

References
Source: Gentoo 200301-10 dhcp
URL: http://online.securityfocus.com/advisories/4882

Source: Debian DSA 231-1 New dhcp3 packages fix arbitrary code execution
URL: http://online.securityfocus.com/advisories/4884

Source: Mandrake MDKSA-2003:007 dhcp
URL: http://online.securityfocus.com/advisories/4887

Source: OpenPKG OpenPKG-SA-2003.002 dhcpd buffer overflows in minires library
URL: http://online.securityfocus.com/advisories/4880

Source: RedHat RHSA-2003:011-07 Updated dhcp packages fix security vulnerabilities
URL: http://online.securityfocus.com/advisories/4877

Source: SuSE SuSE-SA:2003:0006 dhcp
URL: http://online.securityfocus.com/advisories/4890

Source: CERT Advisory CA-2003-01 Buffer Overflows in ISC DHCPD Minires Library
URL: http://www.cert.org/advisories/CA-2003-01.html

Credits
These issues were reported by ISC.

Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2009 Symantec Corporation