September 30, 2016

ISC Patch DHCP Server Halt Bugs

(LiveHacking.Com) – The Internet Systems Consortium, Inc. (ISC) , the non-profit company which develops software for the infrastructure of the Internet (like BIND and DHCP),  is reporting that two issues have been found in its DHCP server that could allow an attacker to cause the server to crash.

According to the advisory, the ISC received a report from David Zych from the University of Illinois about a crash in the DHCP when it tries to process certain types of packets. Upon investigation ISC found another similar bug along side the one reported by David. The patch issued by the ISC fixes the code to properly discard or process those packets.

Affected versions of the DHCP server are 3.1.0 through 3.1-ESV-R1, all versions of 4.0 (as it has reached EOL), 4.1.0 through 4.1.2rc1, 4.1-ESV through 4.1-ESV-R3b1 and 4.2.0 through 4.2.2rc1. The current supported and patch versions are 3.1-ESV-R3, 4.1-ESV-R3 or 4.2.2.

The advisory also notes that this is the last update to 3.1-ESV as it will reach End-of-Life after this release.

ISC’s DHCP Client Could Allow Remote Code Execution

The Internet Systems Consortium (ISC), a non-profit company which develops software for the infrastructure of the Internet (like BIND and DHCP), has released details of a new remote code execution vulnerability present in its dhclient software.

dhclient is ISC’s DHCP client and can be found on most Linux systems as well as other Unix-like platforms such as FreeBSD. When a machine is configured to use DHCP (Dynamic Host Configuration Protocol) the dhclient broadcasts a request asking for hostname and IP configuration information. A DHCP server will then reply with the corresponding information.

The problem is that dhclient does not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client. dhclient versions 3.0.x to 4.2.x are affected.

ISC have issued new versions of the software: 3.1-ESV-R1, 4.1-ESV-R2 or 4.2.1-P1 which can be downloaded from here. No patch is available for 4.0.x as it has reached its end of life. Anyone running 4.1.x should upgrade to 4.1-ESV-R2.

If you don’t want to rebuild the software yourself you should consider the immediate workarounds given below or wait until your Linux distribution issues an update.

Immediate workarounds

On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME=”no” in /etc/sysconfig/network/dhcp. Other systems may add following line to dhclient-script at the beginning of the set_hostname() function:

new_host_name=${new_host_name//[^-.a-zA-Z0-9]/}