Security fix for dhcpd

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Security fix for dhcpd

Todd C. Miller
Summary:
    Malicious DHCP clients on the local network could cause dhcpd(8)
    to corrupt its stack.

Impact:
    A DHCP client with a carefully chosen maximum message size that
    is less than the minimum IP MTU could lead to a buffer overflow
    in dhcpd(8).  This could cause dhcpd(8) to crash or could
    potentially result in remote code execution.

Workaround:
    Disable dhcpd if it is enabled.  Note that OpenBSD does not
    ship with dhcpd(8) enabled by default.

Fix:
    A fix has been committed to OpenBSD-current.  Patches are
    available for OpenBSD 4.2, 4.1 and 4.0.

    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/001_dhcpd.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/010_dhcpd.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/016_dhcpd.patch

Credits:
    The bug was found by Nahuel Riva and Gerardo Richarte of Core
    Security Technologies