Vulnerabilities found in ISC protocol

The Internet Software Consortium (ISC) has issued an advisory stating it has discovered several buffer overflow vulnerabilities in its implementation of a protocol that automatically assigns IP addresses to client stations logging into TCP/IP networks.

The Dynamic Host Configuration Protocol (DHCP) eliminates the need to manually assign permanent IP addresses and runs in servers and network devices including ISDN routers and modem routers that allow multiple users access to the Internet. The ISC DHCPD allows the DHCP server to dynamically update a domain name server (DNS) eliminating the need for manual updates to the name server configuration.

According to a report from the CERT Coordination Center, the vulnerabilities in the DHCP implementation are common results of malfunctioning software and occur when the amount of data written into one buffer exceeds the size of that buffer and the additional data then is written into other areas. The flaw could allow remote attackers to execute arbitrary code on affected systems, although as of Wednesday no exploits had been reported.

Linux developer Red Hat Inc. distributes a vulnerable version of ISC DHCP in its Red Hat Linux 8.0, although all other versions of Red Hat Linux are not vulnerable to the flaws.

As stated by CERT, the following companies’ products are not susceptible to the buffer overflow vulnerabilities: Apple Computer Inc.; Berkeley Software Design Inc.; Cisco Systems; Cray Inc.; Fujitsu; Hewlett-Packard Co.; Hitachi Ltd.; IBM Corp.; MontaVista Software; NEC Inc.; NetBSD; NetScreen; OpenBSD; Openwall GNU/*/Linux; Riverstone Networks; and Sun Microsystems Inc.

The ISC has issued a patched version of 3.0 available now and a new release candidate for the next bug-fix release. Both can be found at www.isc.org/products/DCHP/.

Red Hat Linux 8.0 users can update systems at http://rhn.redhat.com/errata/RHSA-2003-011.html.

For a detailed list of vendors that have been contacted by the CERT/CC visit www.kb.cert.org/vuls/id/284857#systems. More information can be found at www.cert.org.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now