CERT warns of key ISC vulnerability - News - Security

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

CERT warns of key ISC vulnerability

By Patrick Gray, 0
January 16, 2003
URL: http://www.zdnet.com.au/news/security/soa/CERT-warns-of-key-ISC-vulnerability/0,130061744,120271303,00.htm

CERT has warned of a serious security vulnerability in ISC's DHCP (Dynamic Host Configuration Protocol) software, which is shipped with multiple operating systems including popular Linux and BSD variants.

DHCP software is used to assign IP address information to computers on a network as they require it. For example, when a user selects "Obtain an IP address automatically" in their Windows networking settings, it's a DHCP server attached to the network that issues this IP address information to the user's computer.

It was ISC, who also maintain the popular BIND domain name server, who found the vulnerabilities.

"During an internal source code audit, developers from the ISC discovered several vulnerabilities... These vulnerabilities are stack-based buffer overflows," an advisory from CERT said.

CERT have listed known vulnerable software distributions as Red Hat 8 (The current distribution of Red Hat Linux), SuSE Linux, and BSDI, with the vulnerability status of many other vendors unknown at this stage.

This vulnerability is unlikely to expose corporate networks to any new external threats. Most networks do not allow access to DHCP services from outside, however trusted network users with access to the "soft" side of a corporate firewall may be able to exploit this vulnerability.

CERT have recommended that a patch be applied, or where that isn't possible, the DHCP service be shut down.

"As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Depending on your network configuration, you may not need to use DHCP," they said.

According to the advisory, Red Hat have prepared an updated package to address the issue, SuSE are "...preparing updates, that will be released soon" and BSDI have made patches available. Some other vendors are still testing their distributions to determine their vulnerability status.