Executive Summary
Summary | |
---|---|
Title | New dhcp3 packages fix arbitrary code execution |
Informations | |||
---|---|---|---|
Name | DSA-1833 | First vendor Publication | 2009-07-14 |
Vendor | Debian | Last vendor Modification | 2009-08-25 |
Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
The previous dhcp3 update (DSA-1833-1) did not properly apply the required changes to the stable (lenny) version. The old stable (etch) version is not affected by this problem. The original advisory description follows. Several remote vulnerabilities have been discovered in ISC's DHCP implementation: It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. (CVE-2009-0692) Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892) For the stable distribution (lenny), this problem has been fixed in version 3.1.1-6+lenny3. We recommend that you upgrade your dhcp3 packages. |
Original Source
Url : http://www.debian.org/security/2009/dsa-1833 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
50 % | CWE-16 | Configuration |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10758 | |||
Oval ID: | oval:org.mitre.oval:def:10758 | ||
Title: | Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. | ||
Description: | Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0692 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12418 | |||
Oval ID: | oval:org.mitre.oval:def:12418 | ||
Title: | USN-803-2 -- dhcp3 vulnerability | ||
Description: | USN-803-1 fixed a vulnerability in Dhcp. Due to an error, the patch to fix the vulnerability was not properly applied on Ubuntu 8.10 and higher. Even with the patch improperly applied, the default compiler options reduced the vulnerability to a denial of service. Additionally, in Ubuntu 9.04 and higher, users were also protected by the AppArmor dhclient3 profile. This update fixes the problem. Original advisory details: It was discovered that the DHCP client as included in dhcp3 did not verify the length of certain option fields when processing a response from an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a malicious dhcp server, a remote attacker could cause a denial of service or execute arbitrary code as the user invoking the program, typically the "dhcp" user. For users running Ubuntu 8.10 or 9.04, a remote attacker should only be able to cause a denial of service in the DHCP client. In Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3 profile. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-803-2 CVE-2009-0692 | Version: | 5 |
Platform(s): | Ubuntu 8.10 Ubuntu 9.10 Ubuntu 9.04 | Product(s): | dhcp3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12854 | |||
Oval ID: | oval:org.mitre.oval:def:12854 | ||
Title: | DSA-1833-1 dhcp3 -- several | ||
Description: | Several remote vulnerabilities have been discovered in ISC's DHCP implementation: It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. For the old stable distribution, these problems have been fixed in version 3.0.4-13+etch2. For the stable distribution, this problem has been fixed in version 3.1.1-6+lenny2. For the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your dhcp3 packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1833-1 CVE-2009-0692 CVE-2009-1892 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | dhcp3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13715 | |||
Oval ID: | oval:org.mitre.oval:def:13715 | ||
Title: | DSA-1833-2 dhcp3 -- several | ||
Description: | The previous dhcp3 update did not properly apply the required changes to the stable version. The old stable version is not affected by this problem. The original advisory description follows. Several remote vulnerabilities have been discovered in ISC's DHCP implementation: It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. For the stable distribution, this problem has been fixed in version 3.1.1-6+lenny3. We recommend that you upgrade your dhcp3 packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1833-2 CVE-2009-0692 CVE-2009-1892 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | dhcp3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:5941 | |||
Oval ID: | oval:org.mitre.oval:def:5941 | ||
Title: | DHCP dhclient Stack Overflow in script_write_params() Lets Remote Users Execute Arbitrary Code | ||
Description: | Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0692 | Version: | 1 |
Platform(s): | VMWare ESX Server 3 VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8056 | |||
Oval ID: | oval:org.mitre.oval:def:8056 | ||
Title: | DSA-1833 dhcp3 -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in ISC's DHCP implementation: It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1833 CVE-2009-0692 CVE-2009-1892 | Version: | 3 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | dhcp3 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2009-11-10 | ISC DHCP 'dhclient' 'script_write_params()' Stack Buffer Overflow Vulnerability |
2009-07-27 | ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC |
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for dhclient CESA-2009:1154 centos3 i386 File : nvt/gb_CESA-2009_1154_dhclient_centos3_i386.nasl |
2010-06-25 | Name : Fedora Update for dhcp FEDORA-2010-10083 File : nvt/gb_fedora_2010_10083_dhcp_fc11.nasl |
2010-01-29 | Name : Ubuntu Update for dhcp3 vulnerability USN-803-2 File : nvt/gb_ubuntu_USN_803_2.nasl |
2009-12-10 | Name : Mandriva Security Advisory MDVSA-2009:312 (dhcp) File : nvt/mdksa_2009_312.nasl |
2009-11-17 | Name : Fedora Core 11 FEDORA-2009-9075 (dhcp) File : nvt/fcore_2009_9075.nasl |
2009-10-13 | Name : SLES10: Security update for dhclient File : nvt/sles10_dhcp.nasl |
2009-10-11 | Name : SLES11: Security update for dhcp-client File : nvt/sles11_dhcp-client.nasl |
2009-10-10 | Name : SLES9: Security update for dhcp-client File : nvt/sles9p5053652.nasl |
2009-09-02 | Name : Fedora Core 10 FEDORA-2009-8344 (dhcp) File : nvt/fcore_2009_8344.nasl |
2009-09-02 | Name : Debian Security Advisory DSA 1833-2 (dhcp3) File : nvt/deb_1833_2.nasl |
2009-09-02 | Name : Gentoo Security Advisory GLSA 200908-08 (dhcp) File : nvt/glsa_200908_08.nasl |
2009-08-17 | Name : Mandrake Security Advisory MDVSA-2009:172 (dhcp) File : nvt/mdksa_2009_172.nasl |
2009-07-29 | Name : SuSE Security Advisory SUSE-SA:2009:037 (dhcp-client) File : nvt/suse_sa_2009_037.nasl |
2009-07-29 | Name : Ubuntu USN-803-1 (dhcp3) File : nvt/ubuntu_803_1.nasl |
2009-07-29 | Name : RedHat Security Advisory RHSA-2009:1136 File : nvt/RHSA_2009_1136.nasl |
2009-07-29 | Name : CentOS Security Advisory CESA-2009:1154 (dhcp) File : nvt/ovcesa2009_1154.nasl |
2009-07-29 | Name : Ubuntu USN-805-1 (ruby1.9) File : nvt/ubuntu_805_1.nasl |
2009-07-29 | Name : Mandrake Security Advisory MDVSA-2009:154 (dhcp) File : nvt/mdksa_2009_154.nasl |
2009-07-29 | Name : Mandrake Security Advisory MDVSA-2009:151 (dhcp) File : nvt/mdksa_2009_151.nasl |
2009-07-29 | Name : Gentoo Security Advisory GLSA 200907-12 (dhcp) File : nvt/glsa_200907_12.nasl |
2009-07-29 | Name : FreeBSD Ports: isc-dhcp31-client File : nvt/freebsd_isc-dhcp31-client.nasl |
2009-07-29 | Name : Debian Security Advisory DSA 1833-1 (dhcp3) File : nvt/deb_1833_1.nasl |
2009-07-29 | Name : RedHat Security Advisory RHSA-2009:1154 File : nvt/RHSA_2009_1154.nasl |
2009-07-23 | Name : ISC DHCP Client Buffer Overflow Vulnerability File : nvt/secpod_isc_dhcp_client_bof_vuln.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2009-195-01 dhcp File : nvt/esoft_slk_ssa_2009_195_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
56422 | ISC DHCP dhcpd Unspecified Request Remote DoS |
55819 | ISC DHCP client/dhclient.c script_write_params() Function Remote Overflow |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2009-10-22 | IAVM : 2009-A-0105 - Multiple Vulnerabilities in VMware Products Severity : Category I - VMSKEY : V0021867 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Multiple Operating Systems invalid DHCP option attempt RuleID : 7196 - Revision : 13 - Type : OS-OTHER |
2014-01-10 | dhclient subnet mask option buffer overflow attempt RuleID : 15700 - Revision : 3 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-03 | Name : The remote host is missing a security-related patch. File : vmware_VMSA-2009-0014_remote.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1154.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1136.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090714_dhcp_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1833.nasl - Type : ACT_GATHER_INFO |
2010-01-28 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-803-2.nasl - Type : ACT_GATHER_INFO |
2009-12-04 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-312.nasl - Type : ACT_GATHER_INFO |
2009-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9075.nasl - Type : ACT_GATHER_INFO |
2009-10-19 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2009-0014.nasl - Type : ACT_GATHER_INFO |
2009-10-06 | Name : The remote openSUSE host is missing a security update. File : suse_dhcp-6336.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_dhcp-6335.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_dhcp-client-090626.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12447.nasl - Type : ACT_GATHER_INFO |
2009-08-26 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8344.nasl - Type : ACT_GATHER_INFO |
2009-08-20 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200908-08.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_dhcp-090626.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_dhcp-090626.nasl - Type : ACT_GATHER_INFO |
2009-07-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-154.nasl - Type : ACT_GATHER_INFO |
2009-07-16 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1154.nasl - Type : ACT_GATHER_INFO |
2009-07-16 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-151.nasl - Type : ACT_GATHER_INFO |
2009-07-16 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_c444c8b7716911de9ab7000c29a67389.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1154.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1136.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-803-1.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200907-12.nasl - Type : ACT_GATHER_INFO |
2009-07-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2009-195-01.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:28:37 |
|