Bug 125926 - CAN-2004-0460/1 DHCP stack overflow in hostname logging
Summary: CAN-2004-0460/1 DHCP stack overflow in hostname logging
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: dhcp
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-06-14 08:52 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-08-11 16:37:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2004:566 0 normal SHIPPED_LIVE Updated dhcp and dhclient packages 2005-05-26 04:00:00 UTC

Description Mark J. Cox 2004-06-14 08:52:55 UTC 
The Internet Software Consortium reported to us via CERT on Jun10 a
flaw in hostname logging that affects all versions of DHCP 3.  A
malicious client could send carefully crafted hostname options to a
server which would lead to a stack buffer overflow.  In order to
exploit this flaw an attacker would need to be able to send UDP
packets to the targetted system which limits the attack to the local
network or via routed topology.  A sucessful attack could lead to
remote arbitrary code execution.

This issue is under embargo until Jun15 at 1400EST.
Comment 1 Mark J. Cox 2004-06-14 08:53:28 UTC 
(Red Hat Enterprise Linux 2.1 is based on version 2 of DHCP, and is
therefore not vulnerable to this issue).
Comment 2 Mark J. Cox 2004-06-15 10:12:51 UTC 
Embargo moved to Jun17 at 1400EST to accomodate second issue,
CAN-2004-0461:

"Several operating system specific builds have a C include that
overrides the vsnprintf function to vsprintf. Therefore, anywhere that
the developers thought they were using vsnprintf to restrict bounds,
they actually weren't being restricted at all"
Comment 3 Mark J. Cox 2004-06-15 10:43:42 UTC 
ISC have reported "after closer analysis it appears that only ISC DHCP
3.0.1rc12 and 3.0.1rc13 are vulnerable. Versions prior to this contain
the flaw, but are not exploitable because prior versions of ISC DCHP
only include the last hostname option provided by the client, limiting
the size to 255 bytes, with is not enough to overflow the buffer.".

Therefore CAN-2004-0460 does not affect Red Hat Enterprise Linux (but
does affect Fedora Core 2 only).
Comment 4 Mark J. Cox 2004-06-22 15:41:31 UTC 
A second issue was found, CAN-2004-0461 which we have also confirmed
does not affect Red Hat Enterprise Linux; therefore no update required. 

An update for Fedora Core 2 is required and will be released when the
embargo is lifted later today.
Comment 5 Mark J. Cox 2004-06-22 18:15:47 UTC 
Public; removing embargo
http://www.us-cert.gov/cas/techalerts/TA04-174A.html
Comment 6 Jason Vas Dias 2004-08-11 16:05:44 UTC 
According to link:
 http://www.us-cert.gov/cas/techalerts/TA04-174A.html
:
"These issues have been resolved in ISC DHCP 3.0.1rc14."

FC3 / rawhide now uses dhcp-3.0.1 (gold) which fixes this issue.
dhcp-3.0.1 was also submitted to fc2-updates .

I tried to submit dhcp-3.0.1(gold) to RHEL-3.0-U3, but my request 
was denied - hence RHEL-3.0-U3, which still uses dhcp-3.0pl2, is
still vulnerable to this issue.
Comment 7 Mark J. Cox 2004-08-11 16:34:27 UTC 
Actually only 3.0.1rc12 and 3.0.1rc13 can be exploited; 3.0pl2 is not
vulnerable to this issue.
Comment 8 John Flanagan 2004-12-21 19:41:55 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-566.html
Note You need to log in before you can comment on or make changes to this bug.