Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Vulnerability in DHCP Could Allow Remote Code Execution and Denial of Service (MS04-042)

Attack ID: CPAI-2005-07
Publish Date:
Last Update:
Category: Microsoft Windows Systems
Vulnerable Systems: Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 Terminal Server Edition SP6 (configured as DHCP servers with DHCP logging enabled)
Source:

Microsoft Security Bulletin (MS04-042)
Description:

Microsoft Windows NT Server 4.0 contains a vulnerability in the method that it processes and logs DHCP messages. The Dynamic Host Configuration Protocol (DHCP) provides central management of IP addresses and other details related to the IP configuration used on the network. A remote user can exploit this vulnerability by sending a specially crafted DHCP message to a vulnerable DHCP server. The vulnerability affects only Windows NT Servers 4.0 that have been configured as DHCP Servers with DHCP logging enabled. 

Severity:
Details:

DHCP uses a server computer to centrally manage IP addresses and other related configuration details used on the network. Windows NT 4.0 Server serves as a DHCP Server, providing configuration settings to DHCP-enabled client computers.

The vulnerability is caused due to an unchecked buffer in the method that DHCP uses to validate a value from specially crafted network packets. The vulnerability affects only Windows NT Servers 4.0 that have been configured as DHCP Servers with DHCP logging enabled. 

Attack Detection:

Using SmartView Tracker, users of VPN-1 NG with Application Intelligence R55W and InterSpect who have performed the Update outlined below, will be able to identify this attack by one of the following logging entries:

Attack Name: DHCP Protocol Enforcement Violation
Attack Information (may vary):

  • Unknown DHCP Option
  • Malformed DHCP Option Length
  • DHCP Data Found After End of Options
  • DHCP Packet - Options Data Too Short
  • Invalid DHCP Options Data
  • BOOTP Packet Too Short
  • Invalid BOOTP/DHCP Operation
  • DHCP Client Hardware Type is Not Ethernet
  • Invalid BOOTP/DHCP Field Value
  • DHCP Packet Too Short
  • DHCP Options Malformed Header - Possibly BOOTP Client
  • Illegal DHCP Option for Client Requests
  • Site Specific Option Detected

Users of R55:

Users of VPN-1 NG with Application Intelligence R55 will receive rule 99670 on the SmartView Tracker window.

Solution:

Users of VPN-1 NG with Application Intelligence R55 and InterSpect should update their SmartDefense by clicking the Update Now button on the SmartDefense SmartDashboard General window.

Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking the Online Update button on the SmartDefense SmartDashboard General window.

This update enforces the validity of a DHCP packet header. The update has been added under Application Intelligence.

Please verify that you have downloaded the latest SmartDefense Update:

Version

Build Number

R55

541050124

InterSpect

547050124

R55W

550050124



To enable the protection:

1. On the Smartdefense navigation tree, select Application Intelligence > DHCP.

2. The Perform Strict DHCP options enforcement option is enabled by default. 
Enabling Block BOOTP clients enforces BOOTP protocol packet validity. 
Enabling Block non-Ethernet DHCP clients will block clients that are not of Ethernet type.


3. Install policy on all modules.
Industry Reference: CAN-2004-0899
CAN-2004-0900
Additional Information: