CERT Reports Potential Compromise in Common DHCP Server

by Michael Hall

The dhcp daemon released by the Internet Software Consortium has a common programming error that could lead to administrative or root compromise of hosts running a dhcp server.

CERT has issued a security advisory regarding a format string vulnerability in dhcpd, a piece of server software released by the Internet Software Consortium (ISC) and used to allocate network addresses and set other essential network connection settings to clients. The organization has released a patch to the server.

CERT reports that a quick fix involves ingress filtering of tcp and udp packets on ports 67 and 68 (bootpc) to insure external hosts are kept from accessing the vulnerable server.

The current list of vendors in the advisory reporting a vulnerability include Alcatel, and Conectiva Linux. A longer list of all vendors is available on an update page maintained by CERT, (see Resources, below) which the organization will update as vendors report on their products. Currently the majority of UNIX and Linux vendors, Apple, Dell, and Compaq are listed as "unknown." Microsoft reports that its operating systems do not ship with the ISC's dhcpd server and are not affected.

A format string vulnerability involves the deliberate passing of input to a program that causes it to execute arbitrary instructions. In the case of software that runs with administrative or root privileges, these instructions can then be used to gain control of the computer running the vulnerable software, or simply perform malicious or damaging actions.


This article was originally published on Thursday May 9th 2002