Rule: -- Sid: 2039 -- Summary: The Dynamic Host Configuration Protocol (DHCP) daemon is used to issue dynamic IP addresses from a server to client machines. A vulnerability exists such that arbitrary code may be executed on the server using the credential of the super user (root). -- Impact: Execution of code and possible control of the targeted machine. -- Detailed Information: A format string vulnerabilty in some versions of dhcpd may lead to the execution of arbitrary code as the root user via a DNS server response. This is due to the unsafe logging of user data. The option NSUPDATE option in the configuration of dhcpd must be enabled, although this is a default option in version 3.0 and later. Two exploits for this vulnerability are known to exist. -- Affected Systems: ISC DHCPD 3.0 Caldera OpenLinux Server 3.1 and 3.1.1 Caldera OpenLinux Workstation 3.1 and 3.1.1 Conectiva Linux 8.0 MandrakeSoft Linux Mandrake 8.1, 8.1 ia64, 8.2, 8.2 ppc and 9.0 MandrakeSoft Multi Network Firewall 8.2 S.u.S.E. Linux 7.2, 7.3 and 8.0 S.u.S.E. Linux Connectivity Server S.u.S.E. Linux Database Server S.u.S.E. Linux Enterprise Server 7 and S/390 ISC DHCPD 3.0.1 rc8 and ISC DHCPD 3.0.1 rc7 FreeBSD FreeBSD 4.1.1, 4.2, 4.3, 4.4 and 4.5 ISC DHCPD 3.0.1 rc6 S.u.S.E. Linux 8.0 and 8.0 i386 ISC DHCPD 3.0.1 rc5, ISC DHCPD 3.0.1 rc4 OpenPKG OpenPKG 1.0 ISC DHCPD 3.0.1 rc3, rc2 and rc1 -- Attack Scenarios: The attacker could send a specially crafted packet to the dhcpd server or use one of the exploits widely available for this vulnerability. -- Ease of Attack: Simple -- False Positives: None Known -- False Negatives: None Known -- Corrective Action: Patches from the vendor should be applied as soon as possible. Upgrade to ISC DHCPD 3.0.1 rc 9. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: Bugtraq: http://www.securityfocus.com/bid/4701 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702 --