CERT Advisory CA-2003-01 Buffer Overflows in ISC DHCPD Minires Library

From: CERT Advisory (cert-advisory@cert.org)
Date: 01/15/03

  • Next message: CERT Advisory: "CERT Advisory CA-2003-02 Double-Free Bug in CVS Server"
    Date: Wed, 15 Jan 2003 15:53:45 -0500
    From: CERT Advisory <cert-advisory@cert.org>
    To: cert-advisory@cert.org


    CERT Advisory CA-2003-01 Buffer Overflows in ISC DHCPD Minires Library

       Original release date: January 15, 2003
       Last revised: --
       Source: CERT/CC

       A complete revision history can be found at the end of this file.

      Systems Affected

         * Systems running ISC DHCPD versions 3.0 through 3.0.1RC10,
         * For detailed vendor status information, see


       The Internet Software Consortium (ISC) has discovered several buffer
       overflow vulnerabilities in their implementation of DHCP (ISC DHCPD).
       These vulnerabilities may allow remote attackers to execute arbitrary
       code on affected systems. At this time, we are not aware of any

    I. Description

       There are multiple remote buffer overflow vulnerabilities in the ISC
       implementation of DHCP. As described in RFC 2131, "the Dynamic Host
       Configuration Protocol (DHCP) provides a framework for passing
       configuration information to hosts on a TCP/IP network." In addition to
       supplying hosts with network configuration data, ISC DHCPD allows the
       DHCP server to dynamically update a DNS server, eliminating the need
       for manual updates to the name server configuration. Support for
       dynamic DNS updates is provided by the NSUPDATE feature.

       During an internal source code audit, developers from the ISC
       discovered several vulnerabilities in the error handling routines of
       the minires library, which is used by NSUPDATE to resolve hostnames.
       These vulnerabilities are stack-based buffer overflows that may be
       exploitable by sending a DHCP message containing a large hostname
       value. Note: Although the minires library is derived from the BIND 8
       resolver library, these vulnerabilities do not affect any current
       versions of BIND.

       The CERT/CC is tracking this issue as VU#284857. This reference number
       corresponds to CVE candidate CAN-2003-0026.

    II. Impact

       Remote attackers may be able to execute arbitrary code with the
       privileges of the user running ISC DHCPD.

    III. Solution

        Upgrade or apply a patch

       The ISC has addressed these vulnerabilities in versions 3.0pl2 and
       3.0.1RC11 of ISC DHCPD. If your software vendor supplies ISC DHCPD as
       part of an operating system distribution, please see Appendix A for
       vendor-specific patch information.

       For a detailed list of vendors that have been notified of this issue by
       the CERT/CC, please see


        Disable dynamic DNS updates (NSUPDATE)

       As an interim measure, the ISC recommends disabling the NSUPDATE
       feature on affected DHCP servers.

        Block external access to DHCP server ports

       As an interim measure, it is possible to limit exposure to these
       vulnerabilities by restricting external access to affected DHCP servers
       on the following ports:

    bootps 67/tcp # Bootstrap Protocol Server
    bootps 67/udp # Bootstrap Protocol Server
    bootpc 68/tcp # Bootstrap Protocol Client
    bootpc 68/udp # Bootstrap Protocol Client

        Disable the DHCP service

       As a general rule, the CERT/CC recommends disabling any service or
       capability that is not explicitly required. Depending on your network
       configuration, you may not need to use DHCP.

    Appendix A. - Vendor Information

       This appendix contains information provided by vendors for this
       advisory. As vendors report new information to the CERT/CC, we will
       update this section and note the changes in our revision history. If a
       particular vendor is not listed below, we have not received their

        Apple Computer, Inc.

       Mac OS X and Mac OS X Server do not contain the vulnerability described
       in this notice.

        Berkeley Software Design, Inc. (BSDI)

       This vulnerability is addressed by the M431-001 and M500-004 patches
       for the 4.3.1 and 5.0 versions of BSD/OS.

        Cisco Systems

       No Cisco products have been found to be affected by this vulnerability.

       Several Cisco products do utilize the ISC DHCPD, however, no Cisco
       products implement the ISC DHCPD NSUPDATE feature, nor do they include
       the minires library.

        Cray Inc.

       Cray Inc. is not vulnerable as dhcpd is not supported on any of its


       Fujitsu's UXP/V OS is not vulnerable because it does not support the
       ISC DHCPD.

        Hewlett-Packard Company

       Source: Hewlett-Packard Company
               Software Security Response Team
       cross reference id: SSRT2423
         HP-UX - not vulnerable
         HP-MPE/ix - not vulnerable
         HP Tru64 UNIX - not vulnerable
         HP OpenVMS - not vulnerable
         HP NonStop Servers - not vulnerable
       To report potential security vulnerabilities in HP software,
       send an E-mail message to: mailto:security-alert@hp.com

        Hitachi, Ltd.

       We've checked up on our router (Hitachi,Ltd. GR2000 series) about
       [VU#284857]. Our DHCP implementation is NOT vulnerable.

        IBM Corporation

       IBM's AIX does not ship with the ISC DHCP daemon. The issues discussed
       in VU#284857 or any following advisories based on this vulnerability
       note do not pertain to AIX.

        Internet Software Consortium

       We have a patched version of 3.0 available (3.0pl2) and a new release
       candidate for the next bug-fix release (3.0.1RC11). Both of these new
       releases are available from http://www.isc.org/products/DHCP/.

        MontaVista Software

       None of MontaVista Software's Linux products are vulnerable to this

        NEC Inc.

       [Server Products]
        * EWS/UP 48 Series operating system
        - is NOT vulnerable.


       Currently supported versions of NetBSD do not contain the error
       handling routine vulnerabilities. Such vulnerabilities were fixed
       prior to the release of NetBSD 1.5.

       With respect to the patch to ns_name.c, we believe that this is good
       defensive programming and have applied the patch to NetBSD-current.
       However, all calls to ns_name_ntol in the NetBSD source base pass a
       correct, constant, non-zero value as the datsiz parameter.

       Therefore, NetBSD is not vulnerable.


       NetScreen is not vulnerable to this issue.


       OpenBSD's dhcp support is much modified, does not have that feature,
       and therefore does not have that bug.

        Openwall GNU/*/Linux

       Openwall GNU/*/Linux is not vulnerable. We don't yet provide a DHCP

        Red Hat Inc.

       Red Hat distributes a vulnerable version of ISC DHCP in Red Hat Linux
       8.0. Other distributions of Red Hat Linux are not vulnerable to these
       issues. New DHCP packages are available along with our advisory at the
       URL below. Users of the Red Hat Network can update their systems using
       the 'up2date' tool.


        Riverstone Networks

       Riverstone Networks is not vulnerable to VU#284857.

        Sun Microsystems, Inc.

       Sun confirms that we are not vulnerable to the issues described in
       VU#284857. Solaris does not ship the ISC DHCPD and does not use any of
       the ISC DHCPD source in its version of DHCPD.

        SuSE Linux AG

       We are preparing updates, that will be released soon.


       Xerox is aware of this vulnerability and is currently assessing all
       products. This statement will be updated as new information becomes

       The CERT Coordination Center thanks David Hankins of the Internet
       Software Consortium for notifying us about this problem and for helping
       us to construct this document. We also thank Jacques A. Vidrine for
       drawing attention to this issue.

       Author: This document was written by Jeffrey P. Lanza.

       This document is available from:

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from

       If you prefer to use DES, please call the CERT hotline for more

    Getting security information

       CERT publications and other security information are available from
       our web site

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.

       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

       Revision History
    January 15, 2003: Initial release

    Version: PGP 6.5.8

    -----END PGP SIGNATURE-----