Bug 1549960 (CVE-2018-5732)

Summary: CVE-2018-5732 dhcp: Buffer overflow in dhclient possibly allowing code execution triggered by malicious server
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apmukher, dcantrell, dkholia, jpopelka, pemensik, pzhukov, security-response-team, thozza, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dhcp 4.1-ESV-R15-P1, dhcp 4.3.6-P1, dhcp 4.4.1 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client machines via a crafted DHCP response packet.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-13 09:03:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1549978, 1549979, 1549998, 1550082, 1550083, 1550246, 1550248    
Bug Blocks: 1549964    

Description Adam Mariš 2018-02-28 07:28:02 UTC 
Failure to properly bounds check a buffer used for processing DHCP options allows a malicious server (or an entity masquerading as a server) to cause a buffer overflow (and resulting crash) in dhclient by sending a response containing a specially constructed options section.

Versions of DHCP affected: 4.1.0 -> 4.1-ESV-R15, 4.2.0 -> 4.2.8, 4.3.0 -> 4.3.6, 4.4.0
Comment 2 Adam Mariš 2018-02-28 07:45:00 UTC 
Acknowledgments:

Name: ISC
Upstream: Felix Wilhelm (Google)
Comment 8 Tomas Hoger 2018-02-28 20:30:32 UTC 
Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01565
Comment 9 Tomas Hoger 2018-02-28 20:32:06 UTC 
Created dhcp tracking bugs for this issue:

Affects: fedora-all [bug 1550246]
Comment 11 Tomas Hoger 2018-03-01 12:39:51 UTC 
Upstream commit:

https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=c5931725b48b121d232df4ba9e45bc41e0ba114d

Upstream bug (not public):

https://bugs.isc.org/Public/Bug/Display.html?id=47139
Comment 12 errata-xmlrpc 2018-03-09 10:06:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:0469 https://access.redhat.com/errata/RHSA-2018:0469
Comment 13 errata-xmlrpc 2018-03-12 18:46:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0483 https://access.redhat.com/errata/RHSA-2018:0483