The ISC DHCP Client Can be Used to Deliver Bash-Bug Payload
Michael McNally
mcnally at isc.org
Fri Sep 26 20:09:13 UTC 2014
A message from Internet Systems Consortium (ISC) to our DHCP client
(dhclient) users:
As most of you are no doubt aware, this week saw the disclosure
of a very serious security flaw in the "Bourne-again Shell", bash.
(see: CVE-2014-6271, and CVE-2014-7169)
The flaw allows remote execution of arbitrary commands by the
shell if an attacker can cause data to be passed to the shell as
the value of a shell environment variable.
Despite reports to the contrary saying that a 2011 change
(CVE-2011-0997) to dhclient prevents exploitation of this flaw,
ISC has confirmed that the DHCP client provided as a part of
ISC DHCP can be used to exploit the bash vulnerability if the
operator of a rogue DHCP server passes a specially constructed
value as the payload of a DHCP option field.
For this and many other reasons, all users running a vulnerable
version of bash are advised to update to a secured version as
quickly as possible.
Michael McNally
ISC Support
Postscript:
Readers will naturally want to know whether other ISC products
can be used to exploit this condition. We know of no vulnerability
in the ISC DHCP server or in BIND that can be used as a vector
to exploit the bash flaw, and many users do not use the affected
DHCP client (instead configuring statically or using the client
provided by their OS maintainer.) We nevertheless strongly recommend
that the best course of action is to upgrade to a secure version
of bash due to the seriousness of this flaw.
Related links:
https://kb.isc.org/article/AA-00455/75/CVE-2011-0997
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
More information about the dhcp-users
mailing list