ID CVE-2009-0692
Summary Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
References
Vulnerable Configurations
  • ISC DHCP 4.1.0
    cpe:2.3:a:isc:dhcp:4.1.0
  • cpe:2.3:a:isc:dhcp:4.0
    cpe:2.3:a:isc:dhcp:4.0
  • cpe:2.3:a:isc:dhcp:3.0
    cpe:2.3:a:isc:dhcp:3.0
  • cpe:2.3:a:isc:dhcp:3.1
    cpe:2.3:a:isc:dhcp:3.1
  • cpe:2.3:a:isc:dhcp:2.0
    cpe:2.3:a:isc:dhcp:2.0
CVSS
Base: 10.0 (as of 15-07-2009 - 07:37)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description ISC DHCP 'dhclient' 'script_write_params()' - Stack Buffer Overflow Vulnerability. CVE-2009-0692. Remote exploits for multiple platform
    id EDB-ID:10015
    last seen 2016-02-01
    modified 2009-11-10
    published 2009-11-10
    reporter Jon Oberheide
    source https://www.exploit-db.com/download/10015/
    title ISC DHCP 'dhclient' 'script_write_params' - Stack Buffer Overflow Vulnerability
  • description ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC. CVE-2009-0692. Dos exploit for linux platform
    id EDB-ID:9265
    last seen 2016-02-01
    modified 2009-07-27
    published 2009-07-27
    reporter Jon Oberheide
    source https://www.exploit-db.com/download/9265/
    title ISC DHCP dhclient < 3.1.2p1 - Remote Buffer Overflow PoC
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1154.NASL
    description From Red Hat Security Advisory 2009:1154 : Updated dhcp packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. (CVE-2009-1893) Users of DHCP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67891
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67891
    title Oracle Linux 3 : dhcp (ELSA-2009-1154)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1154.NASL
    description Updated dhcp packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. (CVE-2009-1893) Users of DHCP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 39801
    published 2009-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39801
    title CentOS 3 : dhcp (CESA-2009:1154)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1833.NASL
    description Several remote vulnerabilities have been discovered in ISC's DHCP implementation : - CVE-2009-0692 It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. - CVE-2009-1892 Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using 'dhcp-client-identifier' and 'hardware ethernet'. This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 44698
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44698
    title Debian DSA-1833-1 : dhcp3 - several vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090714_DHCP_ON_SL3_X.NASL
    description The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. (CVE-2009-1893)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60615
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60615
    title Scientific Linux Security Update : dhcp on SL3.x, SL4.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-9075.NASL
    description Do not require policycoreutils when installing dhcp or dhclient packages. If you have the package installed, the /sbin/restorecon program will be used by dhclient-script and the dhcpd init script. This update to the dhcp package includes fixes for CVE-2009-0692 and CVE-2009-1892. More information on these issues are available here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892 Note: CVE-2009-0692 had no security consequences on Fedora, thanks to the use of FORTIFY_SOURCE Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 42454
    published 2009-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42454
    title Fedora 11 : dhcp-4.1.0p1-4.fc11 (2009-9075)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2009-0014.NASL
    description a. Service Console update for DHCP and third-party library update for DHCP client. DHCP is an Internet-standard protocol by which a computer can be connected to a local network, ask to be given configuration information, and receive from a server enough information to configure itself as a member of that network. A stack-based buffer overflow in the script_write_params method in ISC DHCP dhclient allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0692 to this issue. An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1893 to this issue. b. Updated Service Console package kernel Service Console package kernel update to version kernel-2.4.21-58.EL. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4210, CVE-2008-3275, CVE-2008-0598, CVE-2008-2136, CVE-2008-2812, CVE-2007-6063, CVE-2008-3525 to the security issues fixed in kernel-2.4.21-58.EL c. JRE Security Update JRE update to version 1.5.0_18, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_17: CVE-2008-2086, CVE-2008-5347, CVE-2008-5348, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352, CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, CVE-2008-5359, CVE-2008-5360, CVE-2008-5339, CVE-2008-5342, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2008-5340, CVE-2008-5341, CVE-2008-5343, and CVE-2008-5355. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 42179
    published 2009-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42179
    title VMSA-2009-0014 : VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1154.NASL
    description Updated dhcp packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. (CVE-2009-1893) Users of DHCP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 39799
    published 2009-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39799
    title RHEL 3 : dhcp (RHSA-2009:1154)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-312.NASL
    description A vulnerability has been found and corrected in ISC DHCP : Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528; allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a malformed DHCP packet with a large dhcp-max-message-size that triggers a stack-based buffer overflow, related to servers configured to send many DHCP options to clients (CVE-2007-0062). Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option (CVE-2009-0692). ISC DHCP Server is vulnerable to a denial of service, caused by the improper handling of DHCP requests. If the host definitions are mixed using dhcp-client-identifier and hardware ethernet, a remote attacker could send specially crafted DHCP requests to cause the server to stop responding (CVE-2009-1892). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides fixes for this vulnerability.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 42998
    published 2009-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42998
    title Mandriva Linux Security Advisory : dhcp (MDVSA-2009:312)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2009-0014_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - ISC DHCP dhclient - Integrated Services Digital Network (ISDN) subsystem - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Web Start - Linux kernel - Linux kernel 32-bit and 64-bit emulation - Linux kernel Simple Internet Transition INET6 - Linux kernel tty - Linux kernel virtual file system (VFS) - Red Hat dhcpd init script for DHCP - SBNI WAN driver
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 89116
    published 2016-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89116
    title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0014) (remote check)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_DHCP-6335.NASL
    description The DHCP client (dhclient) could be crashed by a malicious DHCP server sending a overlong subnet field. (CVE-2009-0692) In some circumstances code execution might be possible, but might be caught by the buffer overflow checking in newer distributions. (SLES 10 and 11).
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 41502
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41502
    title SuSE 10 Security Update : dhclient (ZYPP Patch Number 6335)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-151.NASL
    description A vulnerability has been found and corrected in ISC DHCP : Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option (CVE-2009-0692). This update provides fixes for this vulnerability.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 39804
    published 2009-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39804
    title Mandriva Linux Security Advisory : dhcp (MDVSA-2009:151)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_DHCP-090626.NASL
    description The DHCP client (dhclient) could be crashed by a malicious DHCP server sending a overlong subnet field. (CVE-2009-0692) In some circumstances code execution might be possible, but might is likely caught by the buffer overflow checking of the FORTIFY_SOURCE extension.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 40212
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40212
    title openSUSE Security Update : dhcp (dhcp-1067)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-803-1.NASL
    description It was discovered that the DHCP client as included in dhcp3 did not verify the length of certain option fields when processing a response from an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a malicious dhcp server, a remote attacker could cause a denial of service or execute arbitrary code as the user invoking the program, typically the 'dhcp' user. For users running Ubuntu 8.10 or 9.04, a remote attacker should only be able to cause a denial of service in the DHCP client. In Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3 profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 39800
    published 2009-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39800
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : dhcp3 vulnerability (USN-803-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1136.NASL
    description From Red Hat Security Advisory 2009:1136 : Updated dhcp packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 4.7 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) Users of DHCP should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67886
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67886
    title Oracle Linux 4 : dhcp (ELSA-2009-1136)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12447.NASL
    description The DHCP client (dhclient) could be crashed by a malicious DHCP server sending an overlong subnet field. Under some circumstances remote code execution might be possible by exploiting the resulting buffer overflow. This issue has been tracked by CVE-2009-0692.
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 41310
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41310
    title SuSE9 Security Update : dhcp-client (YOU Patch Number 12447)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_DHCP-090626.NASL
    description The DHCP client (dhclient) could be crashed by a malicious DHCP server sending a overlong subnet field. (CVE-2009-0692) In some circumstances code execution might be possible, but might is likely caught by the buffer overflow checking of the FORTIFY_SOURCE extension.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 39950
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39950
    title openSUSE Security Update : dhcp (dhcp-1067)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200907-12.NASL
    description The remote host is affected by the vulnerability described in GLSA-200907-12 (ISC DHCP: dhcpclient Remote execution of arbitrary code) The Mandriva Linux Engineering Team has reported a stack-based buffer overflow in the subnet-mask handling of dhclient. Impact : A remote attacker might set up a rogue DHCP server in a victim's local network, possibly leading to the execution of arbitrary code with root privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 39797
    published 2009-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39797
    title GLSA-200907-12 : ISC DHCP: dhcpclient Remote execution of arbitrary code
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-8344.NASL
    description This update to the dhcp package includes fixes for CVE-2009-0692 and CVE-2009-1892. More information on these issues are available here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892 Note: CVE-2009-0692 had no security consequences on Fedora, thanks to the use of FORTIFY_SOURCE Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 40774
    published 2009-08-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40774
    title Fedora 10 : dhcp-4.0.0-37.fc10 (2009-8344)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_DHCP-6336.NASL
    description The DHCP client (dhclient) could be crashed by a malicious DHCP server sending a overlong subnet field. (CVE-2009-0692) In some circumstances code execution might be possible, but might is likely caught by the buffer overflow checking of the FORTIFY_SOURCE extension.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 41996
    published 2009-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41996
    title openSUSE 10 Security Update : dhcp (dhcp-6336)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C444C8B7716911DE9AB7000C29A67389.NASL
    description US-CERT reports : The ISC DHCP dhclient application contains a stack-based buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 39802
    published 2009-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39802
    title FreeBSD : isc-dhcp-client -- Stack overflow vulnerability (c444c8b7-7169-11de-9ab7-000c29a67389)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2009-195-01.NASL
    description New dhcp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue with dhclient. Note that dhclient is not the default DHCP client in Slackware's networking scripts, dhcpcd is. However, if you use dhclient on a network where someone could deploy a hostile DHCP server, you should upgrade to the new package.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 39796
    published 2009-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39796
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : dhcp (SSA:2009-195-01)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1136.NASL
    description Updated dhcp packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 4.7 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) Users of DHCP should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 39798
    published 2009-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39798
    title RHEL 4 : dhcp (RHSA-2009:1136)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-803-2.NASL
    description USN-803-1 fixed a vulnerability in Dhcp. Due to an error, the patch to fix the vulnerability was not properly applied on Ubuntu 8.10 and higher. Even with the patch improperly applied, the default compiler options reduced the vulnerability to a denial of service. Additionally, in Ubuntu 9.04 and higher, users were also protected by the AppArmor dhclient3 profile. This update fixes the problem. It was discovered that the DHCP client as included in dhcp3 did not verify the length of certain option fields when processing a response from an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a malicious dhcp server, a remote attacker could cause a denial of service or execute arbitrary code as the user invoking the program, typically the 'dhcp' user. For users running Ubuntu 8.10 or 9.04, a remote attacker should only be able to cause a denial of service in the DHCP client. In Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3 profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 44326
    published 2010-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44326
    title Ubuntu 8.10 / 9.04 / 9.10 : dhcp3 vulnerability (USN-803-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_DHCP-CLIENT-090626.NASL
    description The DHCP client (dhclient) could be crashed by a malicious DHCP server sending a overlong subnet field. (CVE-2009-0692) In some circumstances code execution might be possible, but might be caught by the buffer overflow checking in newer distributions. (SLES 10 and 11).
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 41383
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41383
    title SuSE 11 Security Update : dhcp-client (SAT Patch Number 1041)
oval via4
  • accepted 2013-04-29T04:08:26.614-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
    family unix
    id oval:org.mitre.oval:def:10758
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
    version 24
  • accepted 2010-01-11T04:01:30.677-05:00
    class vulnerability
    contributors
    name Michael Wood
    organization Hewlett-Packard
    definition_extensions
    • comment VMWare ESX Server 3.0.3 is installed
      oval oval:org.mitre.oval:def:6026
    • comment VMware ESX Server 3.5.0 is installed
      oval oval:org.mitre.oval:def:5887
    description Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
    family unix
    id oval:org.mitre.oval:def:5941
    status accepted
    submitted 2009-09-23T15:39:02.000-04:00
    title DHCP dhclient Stack Overflow in script_write_params() Lets Remote Users Execute Arbitrary Code
    version 4
packetstorm via4
data source https://packetstormsecurity.com/files/download/79651/iscdhcp-overflow.txt
id PACKETSTORM:79651
last seen 2016-12-05
published 2009-07-28
reporter Jon Oberheide
source https://packetstormsecurity.com/files/79651/ISC-DHCP-dhclient-Buffer-Overflow.html
title ISC DHCP dhclient Buffer Overflow
redhat via4
advisories
  • bugzilla
    id 507717
    title CVE-2009-0692 dhclient: stack overflow leads to arbitrary code execution as root
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • OR
      • AND
        • comment dhclient is earlier than 7:3.0.1-65.el4_8.1
          oval oval:com.redhat.rhsa:tst:20091136006
        • comment dhclient is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20091136007
      • AND
        • comment dhcp is earlier than 7:3.0.1-65.el4_8.1
          oval oval:com.redhat.rhsa:tst:20091136002
        • comment dhcp is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20091136003
      • AND
        • comment dhcp-devel is earlier than 7:3.0.1-65.el4_8.1
          oval oval:com.redhat.rhsa:tst:20091136004
        • comment dhcp-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20091136005
    rhsa
    id RHSA-2009:1136
    released 2009-07-14
    severity Critical
    title RHSA-2009:1136: dhcp security update (Critical)
  • rhsa
    id RHSA-2009:1154
rpms
  • dhclient-7:3.0.1-65.el4_8.1
  • dhcp-7:3.0.1-65.el4_8.1
  • dhcp-devel-7:3.0.1-65.el4_8.1
  • dhclient-7:3.0.1-10.2_EL3
  • dhcp-7:3.0.1-10.2_EL3
  • dhcp-devel-7:3.0.1-10.2_EL3
refmap via4
bid 35668
cert-vn VU#410676
confirm
debian DSA-1833
fedora
  • FEDORA-2009-8344
  • FEDORA-2009-9075
gentoo GLSA-200907-12
hp
  • HPSBMA02554
  • SSRT100018
mandriva MDVSA-2009:151
netbsd NetBSD-SA2009-010
osvdb 55819
sectrack 1022548
secunia
  • 35785
  • 35829
  • 35830
  • 35831
  • 35832
  • 35841
  • 35849
  • 35850
  • 35851
  • 35880
  • 36457
  • 37342
  • 40551
slackware SSA:2009-195-01
suse SUSE-SA:2009:037
ubuntu USN-803-1
vupen
  • ADV-2009-1891
  • ADV-2010-1796
statements via4
contributor Tomas Hoger
lastmodified 2009-07-16
organization Red Hat
statement This issue affected the dhcp packages as shipped with Red Hat Enterprise Linux 3 and 4. Updated packages to correct this issue are available via Red Hat Network: https://rhn.redhat.com/errata/CVE-2009-0692.html This issue did not affect the dhcp packages as shipped with Red Hat Enterprise Linux 5 due to the use of FORTIFY_SOURCE protection mechanism that changes the exploitability of the issue into a controlled application termination.
Last major update 21-08-2010 - 01:30
Published 14-07-2009 - 16:30
Last modified 28-09-2017 - 21:33
Back to Top