Executive Summary
Summary | |
---|---|
Title | dhcp security update |
Informations | |||
---|---|---|---|
Name | RHSA-2009:1154 | First vendor Publication | 2009-07-14 |
Vendor | RedHat | Last vendor Modification | 2009-07-14 |
Severity (Vendor) | Critical | Revision | 02 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated dhcp packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ("/etc/init.d/dhcpd"). A local attacker could use this flaw to overwrite an arbitrary file with the output of the "dhcpd -t" command via a symbolic link attack, if a system administrator executed the DHCP init script with the "configtest", "restart", or "reload" option. (CVE-2009-1893) Users of DHCP should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 507717 - CVE-2009-0692 dhclient: stack overflow leads to arbitrary code execution as root 510024 - CVE-2009-1893 dhcp: insecure temporary file use in the dhcpd init script |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2009-1154.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
50 % | CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10758 | |||
Oval ID: | oval:org.mitre.oval:def:10758 | ||
Title: | Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. | ||
Description: | Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0692 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11597 | |||
Oval ID: | oval:org.mitre.oval:def:11597 | ||
Title: | The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command. | ||
Description: | The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-1893 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:12418 | |||
Oval ID: | oval:org.mitre.oval:def:12418 | ||
Title: | USN-803-2 -- dhcp3 vulnerability | ||
Description: | USN-803-1 fixed a vulnerability in Dhcp. Due to an error, the patch to fix the vulnerability was not properly applied on Ubuntu 8.10 and higher. Even with the patch improperly applied, the default compiler options reduced the vulnerability to a denial of service. Additionally, in Ubuntu 9.04 and higher, users were also protected by the AppArmor dhclient3 profile. This update fixes the problem. Original advisory details: It was discovered that the DHCP client as included in dhcp3 did not verify the length of certain option fields when processing a response from an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a malicious dhcp server, a remote attacker could cause a denial of service or execute arbitrary code as the user invoking the program, typically the "dhcp" user. For users running Ubuntu 8.10 or 9.04, a remote attacker should only be able to cause a denial of service in the DHCP client. In Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3 profile. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-803-2 CVE-2009-0692 | Version: | 5 |
Platform(s): | Ubuntu 8.10 Ubuntu 9.10 Ubuntu 9.04 | Product(s): | dhcp3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:5941 | |||
Oval ID: | oval:org.mitre.oval:def:5941 | ||
Title: | DHCP dhclient Stack Overflow in script_write_params() Lets Remote Users Execute Arbitrary Code | ||
Description: | Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0692 | Version: | 1 |
Platform(s): | VMWare ESX Server 3 VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:6440 | |||
Oval ID: | oval:org.mitre.oval:def:6440 | ||
Title: | Red Hat dhcpd init Script Symlink Flaw Lets Local Users Gain Elevated Privileges | ||
Description: | The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-1893 | Version: | 1 |
Platform(s): | VMWare ESX Server 3 VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2009-11-10 | ISC DHCP 'dhclient' 'script_write_params()' Stack Buffer Overflow Vulnerability |
2009-07-27 | ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC |
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for dhclient CESA-2009:1154 centos3 i386 File : nvt/gb_CESA-2009_1154_dhclient_centos3_i386.nasl |
2010-06-25 | Name : Fedora Update for dhcp FEDORA-2010-10083 File : nvt/gb_fedora_2010_10083_dhcp_fc11.nasl |
2010-01-29 | Name : Ubuntu Update for dhcp3 vulnerability USN-803-2 File : nvt/gb_ubuntu_USN_803_2.nasl |
2009-12-10 | Name : Mandriva Security Advisory MDVSA-2009:312 (dhcp) File : nvt/mdksa_2009_312.nasl |
2009-11-17 | Name : Fedora Core 11 FEDORA-2009-9075 (dhcp) File : nvt/fcore_2009_9075.nasl |
2009-10-13 | Name : SLES10: Security update for dhclient File : nvt/sles10_dhcp.nasl |
2009-10-11 | Name : SLES11: Security update for dhcp-client File : nvt/sles11_dhcp-client.nasl |
2009-10-10 | Name : SLES9: Security update for dhcp-client File : nvt/sles9p5053652.nasl |
2009-09-02 | Name : Debian Security Advisory DSA 1833-2 (dhcp3) File : nvt/deb_1833_2.nasl |
2009-09-02 | Name : Fedora Core 10 FEDORA-2009-8344 (dhcp) File : nvt/fcore_2009_8344.nasl |
2009-07-29 | Name : Ubuntu USN-803-1 (dhcp3) File : nvt/ubuntu_803_1.nasl |
2009-07-29 | Name : RedHat Security Advisory RHSA-2009:1136 File : nvt/RHSA_2009_1136.nasl |
2009-07-29 | Name : SuSE Security Advisory SUSE-SA:2009:037 (dhcp-client) File : nvt/suse_sa_2009_037.nasl |
2009-07-29 | Name : CentOS Security Advisory CESA-2009:1154 (dhcp) File : nvt/ovcesa2009_1154.nasl |
2009-07-29 | Name : Mandrake Security Advisory MDVSA-2009:151 (dhcp) File : nvt/mdksa_2009_151.nasl |
2009-07-29 | Name : Gentoo Security Advisory GLSA 200907-12 (dhcp) File : nvt/glsa_200907_12.nasl |
2009-07-29 | Name : FreeBSD Ports: isc-dhcp31-client File : nvt/freebsd_isc-dhcp31-client.nasl |
2009-07-29 | Name : Debian Security Advisory DSA 1833-1 (dhcp3) File : nvt/deb_1833_1.nasl |
2009-07-29 | Name : RedHat Security Advisory RHSA-2009:1154 File : nvt/RHSA_2009_1154.nasl |
2009-07-23 | Name : ISC DHCP Client Buffer Overflow Vulnerability File : nvt/secpod_isc_dhcp_client_bof_vuln.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2009-195-01 dhcp File : nvt/esoft_slk_ssa_2009_195_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
56464 | Red Hat Linux DHCP dhcpd configtest Function Symlink Arbitrary File Overwrite |
55819 | ISC DHCP client/dhclient.c script_write_params() Function Remote Overflow |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2009-10-22 | IAVM : 2009-A-0105 - Multiple Vulnerabilities in VMware Products Severity : Category I - VMSKEY : V0021867 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Multiple Operating Systems invalid DHCP option attempt RuleID : 7196 - Revision : 13 - Type : OS-OTHER |
2014-01-10 | dhclient subnet mask option buffer overflow attempt RuleID : 15700 - Revision : 3 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-03 | Name : The remote host is missing a security-related patch. File : vmware_VMSA-2009-0014_remote.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1154.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1136.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090714_dhcp_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1833.nasl - Type : ACT_GATHER_INFO |
2010-01-28 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-803-2.nasl - Type : ACT_GATHER_INFO |
2009-12-04 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-312.nasl - Type : ACT_GATHER_INFO |
2009-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9075.nasl - Type : ACT_GATHER_INFO |
2009-10-19 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2009-0014.nasl - Type : ACT_GATHER_INFO |
2009-10-06 | Name : The remote openSUSE host is missing a security update. File : suse_dhcp-6336.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_dhcp-6335.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_dhcp-client-090626.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12447.nasl - Type : ACT_GATHER_INFO |
2009-08-26 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8344.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_dhcp-090626.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_dhcp-090626.nasl - Type : ACT_GATHER_INFO |
2009-07-16 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1154.nasl - Type : ACT_GATHER_INFO |
2009-07-16 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-151.nasl - Type : ACT_GATHER_INFO |
2009-07-16 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_c444c8b7716911de9ab7000c29a67389.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1154.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1136.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-803-1.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200907-12.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2009-195-01.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:52:40 |
|