{"vuid":"VU#284857","idnumber":"284857","name":"ISC DHCPD minires library contains multiple buffer overflows","keywords":["ISC","DHCPD","minires library","buffer overflow","DHCP"],"overview":"The Internet Software Consortium (ISC) has discovered several buffer overflow vulnerabilities in their implementation of DHCP (ISC DHCPD). These vulnerabilities may allow remote attackers to execute arbitrary code on affected systems. At this time, we are not aware of any exploits.","clean_desc":"There are multiple remote buffer overflow vulnerabilities in the ISC implementation of DHCP. As described in RFC 2131, \"the Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network.\"  In addition to supplying hosts with network configuration data, ISC DHCPD allows the DHCP server to dynamically update a DNS server, obviating the need for manual updates to the name server configuration. Support for dynamic DNS updates is provided by the NSUPDATE feature. During an internal source code audit, developers from the ISC discovered several vulnerabilities in the error handling routines of the minires library, which is used by NSUPDATE to resolve hostnames. These vulnerabilities are stack-based buffer overflows that may be exploitable by sending a DHCP message containing a large hostname value. Note: Although the minires library is derived from the BIND 8 resolver library, these vulnerabilities do not affect any current versions of BIND.","impact":"Remote attackers may be able to execute arbitrary code with the privileges of the user running ISC DHCPD.","resolution":"Upgrade or apply a patch The ISC has addressed these vulnerabilities in versions 3.0pl2 and 3.0.1RC11 of ISC DHCPD. If your software vendor supplies ISC DHCPD as part of an operating system distribution, please see the vendor section of this document.","workarounds":"Disable dynamic DNS updates (NSUPDATE) As an interim measure, the ISC recommends disabling the NSUPDATE feature on affected DHCP servers. Block external access to DHCP server ports As an interim measure, it is possible to limit exposure to these vulnerabilities by restricting external access to affected DHCP servers on the following ports: bootps      67/tcp      # Bootstrap Protocol Server\nbootps      67/udp      # Bootstrap Protocol Server\nbootpc      68/tcp      # Bootstrap Protocol Client\nbootpc      68/udp      # Bootstrap Protocol Client Disable the DHCP service As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Depending on your network configuration, you may not need to use DHCP.","sysaffected":"","thanks":"The CERT Coordination Center thanks David Hankins of the Internet Software Consortium for notifying us about this problem and for helping us to construct this document. We also thank Jacques A. Vidrine for drawing attention to this issue.","author":"This document was written by Jeffrey P. Lanza.","public":["http://www.isc.org/products/DHCP/","http://www.ietf.org/rfc/rfc2131.txt"],"cveids":["CVE-2003-0026"],"certadvisory":"CA-2003-01","uscerttechnicalalert":null,"datecreated":"2002-11-18T14:43:07Z","publicdate":"2003-01-15T00:00:00Z","datefirstpublished":"2003-01-15T19:50:51Z","dateupdated":"2003-03-26T19:11:54Z","revision":20,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"5","cam_exploitation":"10","cam_internetinfrastructure":"10","cam_population":"15","cam_impact":"10","cam_easeofexploitation":"5","cam_attackeraccessrequired":"15","cam_scorecurrent":"5.2734375","cam_scorecurrentwidelyknown":"8.4375","cam_scorecurrentwidelyknownexploited":"10.546875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":5.2734375,"vulnote":null}