oss-sec mailing list archives
Re: CVE Request: dhcpcd DoS attack
From: cve-assign () mitre org
Date: Mon, 1 Sep 2014 17:43:40 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
In function get_option, the DHO_OPTIONSOVERLOADED option checks if there are overloaded options, like bootfile or servername. It tries to make sure that it's called only once, BUT overwrites that information after receiving a DHO_END. A malicious server could set the option DHO_OPTIONSOVERLOADED yet another time in the bootfile or servername section, which will result in another jump -- maybe into the same area.
dhcpcd-4.0.0 though to dhcpcd.6.4.2 are vulnerable
dhcpcd-6.4.3 has been released with the above fix.
Use CVE-2014-6060. Presumably this crosses privilege boundaries. (The type of DoS impact is not stated, and the server is implicitly allowed to conduct some types of DoS attacks against the client -- for example, by refusing to allocate an IP address.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUBOgTAAoJEKllVAevmvmswEUIAMkBxocvxtTziw5PJQrUr6y9 Im6hdAVOVs8PSNHMvrUPqlB1xer5CNj+GvZ1eSyuavzikxPfBmekiTn9PMilEXRV OczR9FyjZnTgRD1CtBzaMO8KQ7V3ojiF3NSQyQV+cBZVyLpxvPeXDq8Uw9qIwmMJ eyM8LpmY1XCQ1/vXu8lsDYOeKp3JRvZmjVXfwpXWmLVuVnsfoTGp0Sln+B3VbCQg jMbeiEkaScXCbh4zKVtFYwR8a3mDhOiD0sSVQdl7jE/wZP+7K8QodGLJTp7KjTOO AoLUshwGfK0ACyWbEiG4MdW8ouIiLoTxKV1+F3r0McMoMGO3nAkVrNPXDeNXQZM= =uS8R -----END PGP SIGNATURE-----
Current thread:
- CVE Request: dhcpcd DoS attack Roy Marples (Jul 30)
- Re: CVE Request: dhcpcd DoS attack Kristian Fiskerstrand (Sep 01)
- Re: CVE Request: dhcpcd DoS attack Florian Weimer (Sep 01)
- Re: CVE Request: dhcpcd DoS attack cve-assign (Sep 01)
- Re: CVE Request: dhcpcd DoS attack Kristian Fiskerstrand (Sep 01)