Bug 125926 - CAN-2004-0460/1 DHCP stack overflow in hostname logging
CAN-2004-0460/1 DHCP stack overflow in hostname logging
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: dhcp (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-14 04:52 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-11 12:37:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2004-06-14 04:52:55 EDT
The Internet Software Consortium reported to us via CERT on Jun10 a
flaw in hostname logging that affects all versions of DHCP 3.  A
malicious client could send carefully crafted hostname options to a
server which would lead to a stack buffer overflow.  In order to
exploit this flaw an attacker would need to be able to send UDP
packets to the targetted system which limits the attack to the local
network or via routed topology.  A sucessful attack could lead to
remote arbitrary code execution.

This issue is under embargo until Jun15 at 1400EST.
Comment 1 Mark J. Cox (Product Security) 2004-06-14 04:53:28 EDT
(Red Hat Enterprise Linux 2.1 is based on version 2 of DHCP, and is
therefore not vulnerable to this issue).
Comment 2 Mark J. Cox (Product Security) 2004-06-15 06:12:51 EDT
Embargo moved to Jun17 at 1400EST to accomodate second issue,
CAN-2004-0461:

"Several operating system specific builds have a C include that
overrides the vsnprintf function to vsprintf. Therefore, anywhere that
the developers thought they were using vsnprintf to restrict bounds,
they actually weren't being restricted at all"
Comment 3 Mark J. Cox (Product Security) 2004-06-15 06:43:42 EDT
ISC have reported "after closer analysis it appears that only ISC DHCP
3.0.1rc12 and 3.0.1rc13 are vulnerable. Versions prior to this contain
the flaw, but are not exploitable because prior versions of ISC DCHP
only include the last hostname option provided by the client, limiting
the size to 255 bytes, with is not enough to overflow the buffer.".

Therefore CAN-2004-0460 does not affect Red Hat Enterprise Linux (but
does affect Fedora Core 2 only).
Comment 4 Mark J. Cox (Product Security) 2004-06-22 11:41:31 EDT
A second issue was found, CAN-2004-0461 which we have also confirmed
does not affect Red Hat Enterprise Linux; therefore no update required. 

An update for Fedora Core 2 is required and will be released when the
embargo is lifted later today.
Comment 5 Mark J. Cox (Product Security) 2004-06-22 14:15:47 EDT
Public; removing embargo
http://www.us-cert.gov/cas/techalerts/TA04-174A.html
Comment 6 Jason Vas Dias 2004-08-11 12:05:44 EDT
According to link:
 http://www.us-cert.gov/cas/techalerts/TA04-174A.html
:
"These issues have been resolved in ISC DHCP 3.0.1rc14."

FC3 / rawhide now uses dhcp-3.0.1 (gold) which fixes this issue.
dhcp-3.0.1 was also submitted to fc2-updates .

I tried to submit dhcp-3.0.1(gold) to RHEL-3.0-U3, but my request 
was denied - hence RHEL-3.0-U3, which still uses dhcp-3.0pl2, is
still vulnerable to this issue.

Comment 7 Mark J. Cox (Product Security) 2004-08-11 12:34:27 EDT
Actually only 3.0.1rc12 and 3.0.1rc13 can be exploited; 3.0pl2 is not
vulnerable to this issue.
Comment 8 John Flanagan 2004-12-21 14:41:55 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-566.html

Note You need to log in before you can comment on or make changes to this bug.