September 28, 2016

ISC’s DHCP Client Could Allow Remote Code Execution

The Internet Systems Consortium (ISC), a non-profit company which develops software for the infrastructure of the Internet (like BIND and DHCP), has released details of a new remote code execution vulnerability present in its dhclient software.

dhclient is ISC’s DHCP client and can be found on most Linux systems as well as other Unix-like platforms such as FreeBSD. When a machine is configured to use DHCP (Dynamic Host Configuration Protocol) the dhclient broadcasts a request asking for hostname and IP configuration information. A DHCP server will then reply with the corresponding information.

The problem is that dhclient does not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client. dhclient versions 3.0.x to 4.2.x are affected.

ISC have issued new versions of the software: 3.1-ESV-R1, 4.1-ESV-R2 or 4.2.1-P1 which can be downloaded from here. No patch is available for 4.0.x as it has reached its end of life. Anyone running 4.1.x should upgrade to 4.1-ESV-R2.

If you don’t want to rebuild the software yourself you should consider the immediate workarounds given below or wait until your Linux distribution issues an update.

Immediate workarounds

On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME=”no” in /etc/sysconfig/network/dhcp. Other systems may add following line to dhclient-script at the beginning of the set_hostname() function:

new_host_name=${new_host_name//[^-.a-zA-Z0-9]/}

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks