Buffer Overflows Found in DHCP

By Ryan Naraine (Send Email)
Posted Jun 24, 2004


A pair of security flaws found in the Internet Systems Consortium's (ISC) implementation of the DHCP protocol could leave users at risk of denial-of-service or code execution attacks, experts warned Tuesday.

Earlier this week, a pair of security flaws were found in the Internet Systems Consortium's implementation of the DHCP that could leave users at risk for denial-of-service or code execution attacks.

According to an alert from the U.S. Computer Emergency Response Team (US-CERT), the vulnerabilities were discovered in ISC DHCP versions 3.0.1rc12 and 3.0.1rc13, the de-facto standard for all Unix and Unix-like systems, including Linux and BSD.

"All versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code," US-CERT cautioned.

DHCP, or Dynamic Host Configuration Protocol, provides a framework for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network.

The ISC's freely-distributed reference implementation supplies hosts with network configuration data and allows a DHCP server to dynamically update a DNS server, eliminating the need for manual updates to the name server configuration

The consortium confirmed the existence of the buffer overflow problems in ISC DHCP Daemon versions 3.0.1 Release Candidates 12 and 13 and urged users to upgrade to versions 3.0.1rc14.

It is not the first time the ISC has been forced to issue a fix for buffer overflows in its DHCP implementation. Last January, multiple vulnerabilities were detected during an internal source code audit.

The ISC is a nonprofit group that develops production quality Open Source reference implementations of core Internet protocols.

This article was originally published on internetnews.com.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.