Thursday, March 8, 2018

Security update: Buffer overflow in the DHCP client

[2018-03-14]

Updated blog post with the information about CentOS' package

--------

[2018-03-13]

Updated blog post with the information about Red Hat's and Oracle Linux's packages

--------

A new security vulnerability in the DHCP client has been discovered. This allows a malicious server (or an entity masquerading as a server) to cause a buffer overflow in dhclient by sending a response containing a specially constructed options section. You can find more information about this in the DHCP official announcement.

This buffer overflow can result in a crash due to an out-of-bounds memory access if the client receives and processes a triggering response packet. However, buffer overflow outcomes might vary depending on the operating system. Outcomes such as remote code execution may also be possible in some circumstances.

Versions affected are:
  • 4.1.0 -> 4.1-ESV-R15
  • 4.2.0 -> 4.2.8
  • 4.3.0 -> 4.3.6
  • 4.4.0
Bitnami-packaged images might be affected by this issue if the dhclient tool hasn't been updated. At the same time of this security issue, another security vulnerability in the DHCP server component was published but we want to clarify that none of our solutions include that package installed by default.

When this security issue was found, another security vulnerability in the DHCP server component was published but we want to clarify that none of our solutions include that package installed by default.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami and our team is working to update all of the affected Virtual Machines and Cloud Images available through Bitnami for all Cloud Providers. We will keep you updated in this blog post.

How to mitigate the issue


In the meantime, you can mitigate this problem by updating the tool using the package manager included with your operating system.

Amazon Linux

    There is not any new version of the package yet

RedHat / CentOS / Oracle Server

    yum install dhcp-common

Ubuntu / Debian

    sudo apt-get install isc-dhcp-client

Once updated, you will have one of the following version:

Amazon Linux

    There is not any new version of the package yet

RedHat

    4.2.5-58.el7_4.3

CentOS

    4.2.5-58.el7.centos.3

Oracle Server

    4.2.5-58.0.1.el7_4.3

Ubuntu

    4.3.3-5ubuntu12.9

Debian

    jessie: 4.3.1-6+deb8u3
    stretch: 4.3.5-3+deb9u1


How to obtain the installed version of the package


To check the currently installed version on your system:

RedHat / CentOS / Oracle Server / Amazon Linux

    sudo yum -q info installed dhcp-common

Ubuntu / Debian

    sudo dpkg -s isc-dhcp-client

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.

No comments:

Post a Comment

Please use our community forum if you have any questions community.bitnami.com