DHCP Security Leak

Stephen John Smoogen smooge at gmail.com
Wed May 2 16:54:33 UTC 2007 

On 5/2/07, guru.bidari at sirvisetti.com <guru.bidari at sirvisetti.com> wrote:
> >>Date: Tue, 1 May 2007 16:19:00 -0400 (EDT)
> >>Subject: DHCP Security Leak
> >>From: guru.bidari at sirvisetti.com
> >>To: dhcp-users at isc.org
> >>
> >>Hi
> >>
> >>In our infrastructure we are using DHCP, with system-defined lease-period
> >>(24 hours), the IP-address of the pc is refreshed.
> >>
> >>We are using one product called as auto print the way it works, we think
> >>we have a security leak.
> >>
> >>After a user scheduled a job and he logged out before the job is finished
> >>and ftp-ed, it is possible that another user gets that IP-address before
> >>the output is processed.
> >>
> >>This is more of an issue when concurrent request is re-scheduled to run
> >> at
> >>an interval.
> >>
> >>So we think that it is a leak that another user on a different pc can get
> >>the output of that request, because that pc has leased the IP-address
> >> now.
> >>
> >>Please provide us the solution to overcome this security leak.
> >
> > Instead of ftp back to the original PC, ftp to the user's directory on
> > a server. Set up the permissions so that only that user can read the
> > files in the given directory.
> >
> > This is an application problem, not a DHCP problem.
> >
> > regards,
> > -glenn
>
> We are using the server to ftp it to the directory and permissions are set
> properly for each indivisual users. The problem we think it is a leak that
> another user on a different pc can get the output of that request, because
> that pc has leased the IP-address.
>

The only solutions I could see to this is:

1) Get a different Oracle product that uses SFTP versus FTP.

2) Use a network switch topology that locks Mac-Address -> Port

3) Use static Mac-Address-IP address in DHCP so that you do not give
out IP addresses to wrong system

4) Have a larger pool of DHCP addresses so that DHCP does not believe
it needs to regive a lease out due to pool exhaustion.


-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

More information about the dhcp-users mailing list