Vulnerability Patched in DHCP Software

Monday, April 11, 2011 @ 01:04 PM gHale


An updated version of DHCP software should resolve a vulnerability that could allow attackers to execute arbitrary code remotely, said the Internet Systems Consortium (ISC).

ISC DHCP, a widely used open source implementation of the Dynamic Host Configuration Protocols, is a default software program in a host of Linux distributions.

The vulnerability patched in the newly released ISC DHCP 3.1-ESV-R1, 4.1-ESV-R2 and 4.2.1-P1, affects the DHCP client component, dhclient.

It is the result of failure to escape certain meta-characters encountered in DHCP responses. An attacker with control of the DHCP server could send malicious responses that would lead to remote code execution on the client.

“ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client,” ISC said in its advisory.

Identified as CVE-2011-0997, the vulnerability has a CVSS base score of 6.8 out of 10. ISC said Sebastian Krahmer and Marius Tomaschewski from the SUSE Security Team with reporting it.

There are also some workarounds available. For SUSE systems, setting DHCLIENT_SET_HOSTNAME=”no” in /etc/sysconfig/network/dhcp, while for others adding the new_host_name=${new_host_name//[^-.a-zA-Z0-9]/} to dhclient-script at the beginning of the set_hostname() function.

Users can download the patched DHCP source packages from ISC’s download page or receive them through their operating system’s own distribution mechanism, when they become available.

The Internet Systems Consortium is a non-profit corporation which maintains several open source software applications for the Internet infrastructure, like the BIND DNS server. The organization also operates one of the Internet’s 13 root name servers.



Leave a Reply

You must be logged in to post a comment.