Vulnerabilities found in ISC protocol

The Internet Software Consortium (ISC) has issued an advisory stating it has discovered several buffer overflow vulnerabilities in its implementation of a protocol that automatically assigns IP addresses to client stations logging into TCP/IP networks.

The Dynamic Host Configuration Protocol (DHCP) eliminates the need to manually assign permanent IP addresses and runs in servers and network devices including ISDN routers and modem routers that allow multiple users access to the Internet. The ISC DHCPD allows the DHCP server to dynamically update a domain name server (DNS) eliminating the need for manual updates to the name server configuration.

According to a report from the CERT Coordination Center, the vulnerabilities in the DHCP implementation are common results of malfunctioning software and occur when the amount of data written into one buffer exceeds the size of that buffer and the additional data then is written into other areas. The flaw could allow remote attackers to execute arbitrary code on affected systems, although as of Wednesday no exploits had been reported.

Linux developer Red Hat Inc. distributes a vulnerable version of ISC DHCP in its Red Hat Linux 8.0, although all other versions of Red Hat Linux are not vulnerable to the flaws.

As stated by CERT, the following companies’ products are not susceptible to the buffer overflow vulnerabilities: Apple Computer Inc.; Berkeley Software Design Inc.; Cisco Systems; Cray Inc.; Fujitsu; Hewlett-Packard Co.; Hitachi Ltd.; IBM Corp.; MontaVista Software; NEC Inc.; NetBSD; NetScreen; OpenBSD; Openwall GNU/*/Linux; Riverstone Networks; and Sun Microsystems Inc.

The ISC has issued a patched version of 3.0 available now and a new release candidate for the next bug-fix release. Both can be found at www.isc.org/products/DCHP/.

Red Hat Linux 8.0 users can update systems at http://rhn.redhat.com/errata/RHSA-2003-011.html.

For a detailed list of vendors that have been contacted by the CERT/CC visit www.kb.cert.org/vuls/id/284857#systems. More information can be found at www.cert.org.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now