Preemptive Protection against DHCP Stack Overflow in 'dhclient' script_write_params()
| Check Point Reference: | CPAI-2009-207 | |
| Date Published: | ||
| Preemptive Since: | ||
| Severity: | ||
| Source: | Internet Systems Consortium | |
| Industry Reference(s): | CVE-2009-0692 | |
| Protection Provided by: |
IPS-1
|
|
| Who is Vulnerable? DHCP 4.1 (all versions) 4.0 (all versions) 3.1 (all versions) 3.0 (all versions) 2.0 (all versions) | ||
| Vulnerability Description The ISC DHCP client code (dhclient) application contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code. ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client, and relay agent. dhclient fails to check the length of the server-supplied subnet-mask option before copying it into a buffer. A rogue DHCP server may be able to execute arbitrary code with root privileges on a vulnerable client system. |
||
|
Vulnerability Details While generating a subnet number from the server-supplied leased address, subnet-mask 'dhclient' copies the information into a field without verifying if the length of the information exceeds the length of the field. This may allow a rogue DHCP server to execute arbitrary commands on an affected system. |
Protection Overview
IPS-1 has protected against this vulnerability since July 2006. No further update is required. The protection detects and blocks violations of the DHCP RFC including field overruns, invalid values, etc.
To configure the defense, select your product from the list below and follow the related protection steps.