ID CVE-2010-3611
Summary ISC DHCP server 4.0 before 4.0.2, 4.1 before 4.1.2, and 4.2 before 4.2.0-P1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a DHCPv6 packet containing a Relay-Forward message without an address in the Relay-Forward link-address field.
References
Vulnerable Configurations
  • cpe:2.3:a:isc:dhcp:4.0
    cpe:2.3:a:isc:dhcp:4.0
  • ISC DHCP 4.0.1
    cpe:2.3:a:isc:dhcp:4.0.1
  • cpe:2.3:a:isc:dhcp:4.0.1:rc1
    cpe:2.3:a:isc:dhcp:4.0.1:rc1
  • cpe:2.3:a:isc:dhcp:4.0.1:b1
    cpe:2.3:a:isc:dhcp:4.0.1:b1
  • ISC DHCP 4.0.0
    cpe:2.3:a:isc:dhcp:4.0.0
  • ISC DHCP 4.1.1b1
    cpe:2.3:a:isc:dhcp:4.1.1:b1
  • ISC DHCP 4.1.1b2
    cpe:2.3:a:isc:dhcp:4.1.1:b2
  • ISC DHCP 4.1.1
    cpe:2.3:a:isc:dhcp:4.1.1
  • ISC DHCP 4.1.1 release candidate 1
    cpe:2.3:a:isc:dhcp:4.1.1:rc1
  • ISC DHCP 4.1.1b3
    cpe:2.3:a:isc:dhcp:4.1.1:b3
  • ISC DHCP 4.1.0
    cpe:2.3:a:isc:dhcp:4.1.0
  • ISC DHCP 4.2.0
    cpe:2.3:a:isc:dhcp:4.2.0
  • ISC DHCP 4.2.0 release candidate 1
    cpe:2.3:a:isc:dhcp:4.2.0:rc1
  • ISC DHCP 4.2.0 B1
    cpe:2.3:a:isc:dhcp:4.2.0:b2
  • ISC DHCP 4.2.0 B1
    cpe:2.3:a:isc:dhcp:4.2.0:b1
  • ISC DHCP 4.2.0 A2
    cpe:2.3:a:isc:dhcp:4.2.0:a2
  • ISC DHCP 4.2.0 A1
    cpe:2.3:a:isc:dhcp:4.2.0:a1
CVSS
Base: 4.3 (as of 05-11-2010 - 09:35)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0923.NASL
    description From Red Hat Security Advisory 2010:0923 : Updated dhcp packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. DHCPv6 is the DHCP protocol version for IPv6 networks. A NULL pointer dereference flaw was discovered in the way the dhcpd daemon parsed DHCPv6 packets. A remote attacker could use this flaw to crash dhcpd via a specially crafted DHCPv6 packet, if dhcpd was running as a DHCPv6 server. (CVE-2010-3611) Users running dhcpd as a DHCPv6 server should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all DHCP servers will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68151
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68151
    title Oracle Linux 6 : dhcp (ELSA-2010-0923)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0923.NASL
    description Updated dhcp packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. DHCPv6 is the DHCP protocol version for IPv6 networks. A NULL pointer dereference flaw was discovered in the way the dhcpd daemon parsed DHCPv6 packets. A remote attacker could use this flaw to crash dhcpd via a specially crafted DHCPv6 packet, if dhcpd was running as a DHCPv6 server. (CVE-2010-3611) Users running dhcpd as a DHCPv6 server should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all DHCP servers will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50850
    published 2010-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50850
    title RHEL 6 : dhcp (RHSA-2010:0923)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-17303.NASL
    description - Thu Nov 4 2010 Jiri Popelka - 12:4.1.1-27.P1 - Fix for CVE-2010-3611 (#649880) - Wed Oct 13 2010 Jiri Popelka - 12:4.1.1-26.P1 - Server was ignoring client's Solicit (where client included address/prefix as a preference) (#634842) - Tue Sep 7 2010 Jiri Popelka - 12:4.1.1-25.P1 - Hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO - Fri Aug 20 2010 Jiri Popelka - 12:4.1.1-24.P1 - Add DHCRELAYARGS variable to /etc/sysconfig/dhcrelay - Tue Jun 29 2010 Jiri Popelka - 12:4.1.1-23.P1 - Fix parsing of date (#514828) - Thu Jun 3 2010 Jiri Popelka - 12:4.1.1-22.P1 - 4.1.1-P1 (pair of bug fixes including one for a security related bug). - Fix for CVE-2010-2156 (#601405) - Compile with -fno-strict-aliasing - N-V-R (copied from bind.spec): Name-Version-Release.Patch.dist - Mon May 3 2010 Jiri Popelka - 12:4.1.1-21 - Fix the initialization-delay.patch (#587070) - Thu Apr 29 2010 Jiri Popelka - 12:4.1.1-20 - Cut down the 0-4 second delay before sending first DHCPDISCOVER (#587070) - Wed Apr 28 2010 Jiri Popelka - 12:4.1.1-19 - Move /etc/NetworkManager/dispatcher.d/10-dhclient script from dhcp to dhclient subpackage (#586999). - Wed Apr 28 2010 Jiri Popelka - 12:4.1.1-18 - Add domain-search to the list of default requested DHCP options (#586906) - Wed Apr 21 2010 Jiri Popelka - 12:4.1.1-17 - If the Reply was received in response to Renew or Rebind message, client adds any new addresses in the IA option to the IA (#578097) - Mon Apr 19 2010 Jiri Popelka - 12:4.1.1-16 - Fill in Elapsed Time Option in Release/Decline messages (#582939) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 50682
    published 2010-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50682
    title Fedora 13 : dhcp-4.1.1-27.P1.fc13 (2010-17303)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20101130_DHCP_ON_SL6_X.NASL
    description A NULL pointer dereference flaw was discovered in the way the dhcpd daemon parsed DHCPv6 packets. A remote attacker could use this flaw to crash dhcpd via a specially crafted DHCPv6 packet, if dhcpd was running as a DHCPv6 server. (CVE-2010-3611) After installing this update, all DHCP servers will be restarted automatically.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60909
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60909
    title Scientific Linux Security Update : dhcp on SL6.x i386/x86_64
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F154A3C7F7F411DFB61700E0815B8DA8.NASL
    description ISC reports : If the server receives a DHCPv6 packet containing one or more Relay-Forward messages, and none of them supply an address in the Relay-Forward link-address field, then the server will crash. This can be used as a single packet crash attack vector.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 50815
    published 2010-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50815
    title FreeBSD : isc-dhcp-server -- Empty link-address denial of service (f154a3c7-f7f4-11df-b617-00e0815b8da8)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_DHCP-101108.NASL
    description ISC DHCP can be crashed with a single dhcpv6 packet. CVE-2010-3611 has been assigned to this issue. Additionally a dhcrelay crash when receiving packets on interfaces without assigned IPv4 address has been fixed as well as an infinite loop in dhcpd.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 75463
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75463
    title openSUSE Security Update : dhcp (dhcp-3484)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-17312.NASL
    description - Fri Nov 5 2010 Jiri Popelka - 12:4.2.0-14.P1 - fix broken dependencies - Thu Nov 4 2010 Jiri Popelka - 12:4.2.0-13.P1 - 4.2.0-P1: fix for CVE-2010-3611 (#649880) - dhclient-script: when updating 'search' statement in resolv.conf, add domain part of hostname if it's not already there (#637763) - Wed Oct 13 2010 Jiri Popelka - 12:4.2.0-12 - Server was ignoring client's Solicit (where client included address/prefix as a preference) (#634842) - Thu Oct 7 2010 Jiri Popelka - 12:4.2.0-11 - Use ping instead of arping in dhclient-script to handle not-on-local-net gateway in ARP-less device (#524298) - Thu Oct 7 2010 Jiri Popelka - 12:4.2.0-10 - Check whether there is any unexpired address in previous lease prior to confirming (INIT-REBOOT) the lease (#585418) - Mon Oct 4 2010 Jiri Popelka - 12:4.2.0-9 - RFC 3442 - ignore Router option only if Classless Static Routes option contains default router - Thu Sep 30 2010 Jiri Popelka - 12:4.2.0-8 - Explicitly clear the ARP cache and flush all addresses & routes instead of bringing the interface down (#574568) - Tue Sep 7 2010 Jiri Popelka - 12:4.2.0-7 - Hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50592
    published 2010-11-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50592
    title Fedora 14 : dhcp-4.2.0-14.P1.fc14 (2010-17312)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-226.NASL
    description A vulnerability was discovered and corrected in ISC dhcp : ISC DHCP server 4.0 before 4.0.2, 4.1 before 4.1.2, and 4.2 before 4.2.0-P1 allows remote attackers to cause a denial of service (crash) via a DHCPv6 packet containing a Relay-Forward message without an address in the Relay-Forward link-address field (CVE-2010-3611). The updated packages have been upgraded to 4.1.2 which is not vulnerable to this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 50558
    published 2010-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50558
    title Mandriva Linux Security Advisory : dhcp (MDVSA-2010:226)
redhat via4
advisories
bugzilla
id 649877
title CVE-2010-3611 dhcp: NULL pointer dereference crash via crafted DHCPv6 packet
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment dhclient is earlier than 12:4.1.1-12.P1.el6_0.1
        oval oval:com.redhat.rhsa:tst:20100923007
      • comment dhclient is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100923008
    • AND
      • comment dhcp is earlier than 12:4.1.1-12.P1.el6_0.1
        oval oval:com.redhat.rhsa:tst:20100923005
      • comment dhcp is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100923006
    • AND
      • comment dhcp-devel is earlier than 12:4.1.1-12.P1.el6_0.1
        oval oval:com.redhat.rhsa:tst:20100923009
      • comment dhcp-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100923010
rhsa
id RHSA-2010:0923
released 2010-11-30
severity Moderate
title RHSA-2010:0923: dhcp security update (Moderate)
rpms
  • dhclient-12:4.1.1-12.P1.el6_0.1
  • dhcp-12:4.1.1-12.P1.el6_0.1
  • dhcp-devel-12:4.1.1-12.P1.el6_0.1
refmap via4
bid 44615
cert-vn VU#102047
confirm
fedora
  • FEDORA-2010-17303
  • FEDORA-2010-17312
mandriva MDVSA-2010:226
osvdb 68999
secunia
  • 42082
  • 42345
  • 42407
suse SUSE-SR:2010:021
vupen
  • ADV-2010-2879
  • ADV-2010-3044
  • ADV-2010-3092
xf iscdhcp-relayforward-dos(62965)
Last major update 14-01-2011 - 01:47
Published 04-11-2010 - 14:00
Last modified 16-08-2017 - 21:33
Back to Top