Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 725349 - (CVE-2011-2717) CVE-2011-2717 dhcpv6: insufficient checking of DHCP options
CVE-2011-2717 dhcpv6: insufficient checking of DHCP options
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110405,reported=20110318,sou...
: Security
Depends On:
Blocks: 722974
  Show dependency treegraph
 
Reported: 2011-07-25 05:23 EDT by Tomas Hoger
Modified: 2015-03-06 06:58 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-06 06:58:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Tomas Hoger 2011-07-25 05:23:45 EDT 
A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients.  This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters.  Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted.

This issue was tracked in bug #689832 for ISC dhclient (CVE-2011-0997), which also discussed few other affected clients.  This bug is created to track dhcpv6 separately.

The impact for DHCPv6 clients is significantly lower than impact for DHCPv4 clients, as DHCPv6 does not allow passing hostname in the DHCP reply.  DNS domain name search is provided in the DHCPv6 replies.
Comment 1 Tomas Hoger 2011-07-25 06:01:51 EDT 
Proposed patch adding check for the domain-search option is attached in the previously mentioned bug #689832:
  https://bugzilla.redhat.com/show_bug.cgi?id=689832#c2

(In reply to comment #0)
> The impact for DHCPv6 clients is significantly lower than impact for DHCPv4
> clients, as DHCPv6 does not allow passing hostname in the DHCP reply.  DNS
> domain name search is provided in the DHCPv6 replies.

There are currently no known good ways to take advantage of the specially-crafted domain name noted as "search" option value in /etc/resolv.conf.  We have inspected various scripts that update resolv.conf file, none of them process existing search value insecurely.

The only problematic use that was identified was in shtool's sh.echo script. This script may possibly use search value as part of the replacement argument to the sed's substitution command.  Special crafted value can result in the sed command execution, which may lead to file overwrite or direct code execution (GNU sed).  This would require shtool's echo to be used with "%d" construct to request expansion to host's domain.  Additionally, domain name extracted from hostname (only when '%h' is used too) or domain value from resolv.conf take precedence over the search value.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.