CERT warns of key ISC vulnerability

By Patrick Gray
16 January 2003 03:10 PM
Tags: security, suse, dhcp, isc, red hat, cert, vulnerable, ip address
CERT has warned of a serious security vulnerability in ISC's DHCP (Dynamic Host Configuration Protocol) software, which is shipped with multiple operating systems including popular Linux and BSD variants.

DHCP software is used to assign IP address information to computers on a network as they require it. For example, when a user selects "Obtain an IP address automatically" in their Windows networking settings, it's a DHCP server attached to the network that issues this IP address information to the user's computer.

It was ISC, who also maintain the popular BIND domain name server, who found the vulnerabilities.

"During an internal source code audit, developers from the ISC discovered several vulnerabilities... These vulnerabilities are stack-based buffer overflows," an advisory from CERT said.

CERT have listed known vulnerable software distributions as Red Hat 8 (The current distribution of Red Hat Linux), SuSE Linux, and BSDI, with the vulnerability status of many other vendors unknown at this stage.

This vulnerability is unlikely to expose corporate networks to any new external threats. Most networks do not allow access to DHCP services from outside, however trusted network users with access to the "soft" side of a corporate firewall may be able to exploit this vulnerability.

CERT have recommended that a patch be applied, or where that isn't possible, the DHCP service be shut down.

"As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Depending on your network configuration, you may not need to use DHCP," they said.

According to the advisory, Red Hat have prepared an updated package to address the issue, SuSE are "...preparing updates, that will be released soon" and BSDI have made patches available. Some other vendors are still testing their distributions to determine their vulnerability status.

Advertisement

Talkback 0 comments

Latest Videos

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • Suzanne Tindal IT: Govt's cost-cutting bitch
    The government needs to stop looking at IT as a necessary evil or the place to remove costs when the Treasurer comes calling.
  • Array Can complaints on mobile content be cut?
    On 1 July this year the new Mobile Premium Services Code was introduced. It sounds like it's had a good impact, but is it enough?
  • Array NZ farmers: Bleating about broadband
    As we know, farmers are such bleaters. They bleat as much as the four-legged woolly things in their paddocks. If it's not the weather, it's the strength of the dollar! Nothing is ever right. Likewise with rural broadband.
  • More blogs »

Tags

Back to top

Featured