The ISC DHCP Client Can be Used to Deliver Bash-Bug Payload

Fri Sep 26 20:09:13 UTC 2014

A message from Internet Systems Consortium (ISC) to our DHCP client
(dhclient) users:

  As most of you are no doubt aware, this week saw the disclosure
  of a very serious security flaw in the "Bourne-again Shell", bash.
  (see: CVE-2014-6271, and CVE-2014-7169)

  The flaw allows remote execution of arbitrary commands by the
  shell if an attacker can cause data to be passed to the shell as
  the value of a shell environment variable.

  Despite reports to the contrary saying that a 2011 change
  (CVE-2011-0997) to dhclient prevents exploitation of this flaw,
  ISC has confirmed that the DHCP client provided as a part of
  ISC DHCP can be used to exploit the bash vulnerability if the
  operator of a rogue DHCP server passes a specially constructed
  value as the payload of a DHCP option field.

  For this and many other reasons, all users running a vulnerable
  version of bash are advised to update to a secured version as
  quickly as possible.

  Michael McNally
  ISC Support

Postscript:

  Readers will naturally want to know whether other ISC products
  can be used to exploit this condition.  We know of no vulnerability
  in the ISC DHCP server or in BIND that can be used as a vector
  to exploit the bash flaw, and many users do not use the affected
  DHCP client (instead configuring statically or using the client
  provided by their OS maintainer.) We nevertheless strongly recommend
  that the best course of action is to upgrade to a secure version
  of bash due to the seriousness of this flaw.