Bug 339561 - (CVE-2007-0062) CVE-2007-0062 dhcpd possible DoS via large max-message-size option
CVE-2007-0062 dhcpd possible DoS via large max-message-size option
Status: CLOSED NEXTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=cve,reported=20070921,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-19 07:50 EDT by Tomas Hoger
Modified: 2008-06-03 05:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-03 04:59:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ISC patch for dhcp 3.0.x (24.78 KB, patch)
2007-10-29 08:15 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2007-10-19 07:50:44 EDT
ISC dhcpd is prone to denial of service attack (daemon crash) when DHCP client
specifies large value for dhcp-max-message-size in the request.

Problem only occurs when dhcpd is configured to provide clients with very large
amount of DHCP options.  Such configurations seems very unlikely to exist in the
real deployments.
Comment 3 Tomas Hoger 2007-10-29 08:15:07 EDT
Created attachment 241731 [details]
ISC patch for dhcp 3.0.x

Thanks to Evan Hunt for providing this patch!

Patch itself is bit long, as it has some unrelated changes too, like formatting
updates and re-wording of some comments.
Comment 4 David Cantrell 2007-10-29 13:30:44 EDT
This patch is a bit large.  Can we have it without the formatting changes?  If
not, I'll go through it and reduce it to just the security fix.

I'd like to get updates out for Fedora for this issue as well.  Recent versions
of Fedora that we're still supporting use ISC DHCP 3.0.5 or 3.0.6.  I have
upgraded rawhide to 3.1.0.
Comment 5 Tomas Hoger 2007-10-29 14:19:40 EDT
I guess we'll have to cut it down to something smaller ourselves, but I guess it
should not be too difficult.

Please postpone updates for now, as we still do not know exact CVE id for this
issue.  Postponing it should not cause much of the problems, as I do not believe
this issue does really affect any users.

Btw: ISC plan regarding this issue is:

It'll be released in the next cut of DHCP 4.0.0--I'm not sure yet whether it'll
be named "b3" or "rc1"--and in DHCP 3.1.1b1.
Comment 7 Tomas Hoger 2007-11-02 13:21:20 EDT
David Dewey of IBM ISS X-Force confirmed this is CVE-2007-0062.

http://xforce.iss.net/xforce/xfdb/33102
Comment 9 Tomas Hoger 2008-06-03 04:59:14 EDT
Investigation of this issue showed that the impact of the flaw is limited to a
DoS attack against dhcpd server.  Issue can only be exploited in unlikely
configurations where dhcpd server is configured to provide clients with a large
set of DHCP options.  Such configurations are easily spotted as they are likely
to cause server crash on non-malicious client requests (if client specifies
large enough max message size) or clients receiving incomplete or truncated
options set in server's reply (for common max message sizes smaller than maximum
dhcp packet MTU).
Comment 10 Tomas Hoger 2008-06-03 05:04:57 EDT
Making bug public, issue is now fixed upstream in all dhcp versions currently
supported by ISC.  Fixed upstream in the following versions:

  dhcp-3.0.7
  dhcp-3.1.1
  dhcp-4.0.0

Due to a minimal impact of this flaw, we currently do not plan to backport a fix
to dhcp packages in the already released versions of Red Hat Enterprise Linux. 
Future Red Hat Enterprise Linux versions will include fixed dhcp packages based
on fixed upstream version.
Comment 11 Tomas Hoger 2008-06-03 05:06:03 EDT
Issue is already fixed in dhcp packages in Fedora 9 and Rawhide, as they are
based on fixed upstream version 4.0.0.

Note You need to log in before you can comment on or make changes to this bug.