Users login

Create an account »


Users login

Home » Hacking News » Security Flaws Found in ISC's DHCP - Red Hat Linux 8.0 also vulnerable

Security Flaws Found in ISC's DHCP - Red Hat Linux 8.0 also vulnerable

by Nikola Strahija on January 16th, 2003 The Internet Software Consortium (ISC) has warned of several buffer overflows in its reference implementation of the DHCP protocol that could allows hackers to execute malicious code on vulnerable systems. The Dynamic Host Configuration Protocol (DHCP) provides a framework for assigning dynamic IP addresses to devices on a network.

With dynamic addressing, a device can have a different IP address every time it connects to the network. In addition to supplying hosts with network configuration data, the ISC's implementation allows the DHCP server to dynamically update a DNS server, eliminating the need for manual updates to the name server configuration. The ISC's DHCP is the de facto standard for all UNIX and UNIX-like systems, including Linux and BSD.

An advisory from the CERT Coordination Center Thursday said the security holes were detected during an internal source code audit by the ISC, a non-profit group that develops production quality Open Source reference implementations of core Internet protocols. During that audit, ISC developers found bugs in the error handling routines of the minires library, which is used by NSUPDATE to resolve hostnames. "These vulnerabilities are stack-based buffer overflows that may be exploitable by sending a DHCP message containing a large hostname value," CERT/CC warned. Although the minires library is derived from the BIND 8 resolver library, these vulnerabilities do not affect any current versions of BIND, the Center added. In the interim, CERT/CC has urged IT administrators to disable the NSUPDATE feature on affected DHCP servers, blocking external access to DHCP server ports or disabling DHCP altogether. According to the alert, Red Hatdistributes a vulnerable version of ISC DHCP in Red Hat Linux 8.0. Red Hat said new DHCP packages are available and urged users of its network to update their systems.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »