Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5365 to the following vulnerability: Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2 allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU. References: http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1962 http://www.openbsd.org/errata42.html#001_dhcpd http://secunia.com/advisories/27160 http://www.securityfocus.com/bid/25984
OpenBSD's dhcpd is based on ISC dhcpd 2.x. We ship dhcpd 2.0pl5 in Red Hat Enterprise Linux 2.1, which seems to be affected by this issue. ISC dhcpd version 3.x checks "maximum message size" value provided by dhcp client. Versions of dhcpd in Red Hat Enterprise Linux 3, 4 and 5 are based on 3.x ISC dhcp branch and are not vulnerable. Patch applied by OpenBSD: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.c.diff?r1=1.8&r2=1.9&f=h Note: This issue is reported to be one of three issues discovered by ISS X-Force and fixed in dhcpd bundled with VMWare products (which is based on ISC dhcp 2.x). Those issues have CVE ids CVE-2007-0061, CVE-2007-0062 and CVE-2007-0063, but we currently do not have any details about those vulnerabilities.
Created attachment 234291 [details] mms checking code backported from dhcp-3.x Original OpenBSD patch was incomplete. They've already noticed that and updated their version to use code more similar to dhcp-3.x version: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.c.diff?r1=1.16&r2=1.17&f=h
Issue was addressed by errata: https://rhn.redhat.com/errata/RHSA-2007-0970.html