Red Hat Bugzilla – Bug 125926
CAN-2004-0460/1 DHCP stack overflow in hostname logging
Last modified: 2007-11-30 17:07:02 EST
The Internet Software Consortium reported to us via CERT on Jun10 a
flaw in hostname logging that affects all versions of DHCP 3. A
malicious client could send carefully crafted hostname options to a
server which would lead to a stack buffer overflow. In order to
exploit this flaw an attacker would need to be able to send UDP
packets to the targetted system which limits the attack to the local
network or via routed topology. A sucessful attack could lead to
remote arbitrary code execution.
This issue is under embargo until Jun15 at 1400EST.
(Red Hat Enterprise Linux 2.1 is based on version 2 of DHCP, and is
therefore not vulnerable to this issue).
Embargo moved to Jun17 at 1400EST to accomodate second issue,
"Several operating system specific builds have a C include that
overrides the vsnprintf function to vsprintf. Therefore, anywhere that
the developers thought they were using vsnprintf to restrict bounds,
they actually weren't being restricted at all"
ISC have reported "after closer analysis it appears that only ISC DHCP
3.0.1rc12 and 3.0.1rc13 are vulnerable. Versions prior to this contain
the flaw, but are not exploitable because prior versions of ISC DCHP
only include the last hostname option provided by the client, limiting
the size to 255 bytes, with is not enough to overflow the buffer.".
Therefore CAN-2004-0460 does not affect Red Hat Enterprise Linux (but
does affect Fedora Core 2 only).
A second issue was found, CAN-2004-0461 which we have also confirmed
does not affect Red Hat Enterprise Linux; therefore no update required.
An update for Fedora Core 2 is required and will be released when the
embargo is lifted later today.
Public; removing embargo
According to link:
"These issues have been resolved in ISC DHCP 3.0.1rc14."
FC3 / rawhide now uses dhcp-3.0.1 (gold) which fixes this issue.
dhcp-3.0.1 was also submitted to fc2-updates .
I tried to submit dhcp-3.0.1(gold) to RHEL-3.0-U3, but my request
was denied - hence RHEL-3.0-U3, which still uses dhcp-3.0pl2, is
still vulnerable to this issue.
Actually only 3.0.1rc12 and 3.0.1rc13 can be exploited; 3.0pl2 is not
vulnerable to this issue.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.