ISC’s DHCP Client Can Be Used as a Delivery Vector for bash Bug

As most of our visitors are already aware, this week saw the disclosure of a very serious security flaw in the “Bourne-again Shell,” bash. (See: CVE-2014-6271, and CVE-2014-7169.)

The flaw allows remote execution of arbitrary commands by the shell if an attacker can cause data to be passed to the shell as the value of a shell environment variable.

Despite reports to the contrary saying that a 2011 change (CVE-2011-0997) to dhclient prevents exploitation of this flaw, ISC has confirmed that the DHCP client provided as a part of ISC DHCP can be used to exploit the bash vulnerability if the operator of a rogue DHCP server passes a specially constructed value as the payload of a DHCP option field.

For this and many other reasons, all users running a vulnerable version of bash are advised to update to a secured version as quickly as possible.

Postscript: Readers will naturally want to know whether other ISC products can be used to exploit this condition. We know of no vulnerability in the ISC DHCP server or in BIND 9 that can be used as a vector to exploit the bash flaw. We nevertheless strongly recommend that the best course of action is to upgrade to a secure version of bash due to the seriousness of this flaw.