ISC DHCP: dhcpd Denial of Service

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200908-08 / dhcp
Release Date	August 18, 2009
Latest Revision	August 18, 2009: 01
Impact	normal
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
net-misc/dhcp	< 3.1.2_p1	>= 3.1.2_p1	All supported architectures

Related bugreports: #275231

Synopsis

dhcpd as included in the ISC DHCP implementation does not properly handle special conditions, leading to a Denial of Service.

2. Impact Information

Background

ISC DHCP is the reference implementation of the Dynamic Host Configuration Protocol as specified in RFC 2131.

Description

Christoph Biedl discovered that dhcpd does not properly handle certain DHCP requests when configured both using "dhcp-client-identifier" and "hardware ethernet".

Impact

A remote attacker might send a specially crafted request to dhcpd, possibly resulting in a Denial of Service (daemon crash).

3. Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All ISC DHCP users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/dhcp-3.1.2_p1"

4. References

CVE-2009-1892

Page updated August 18, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.