Two vulnerabilities have been reported in DHCP, which potentially can be exploited by malicious people to cause a Denial of Service or compromise a vulnerable system.

1) The vulnerability is caused due to a boundary error within the logging functionality. Hostname options are concatenated and stored temporarily in a 1024 byte fixed-length buffer, if they consist of ASCII characters only. This can be exploited to cause a buffer overflow by sending a DHCP request with several long hostname options to a vulnerable system.

2) On certain platforms the vsnprintf() function isn't supported, and the vsprintf() function is therefore used instead. This potentially allows malicious people to cause a buffer overflow. Reportedly, issue 1 will be triggered before issue 2.

The vulnerabilities have been reported in ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13

The first vulnerability is believed to be exploitable on all platforms.

The second vulnerability reportedly affects the following platforms:
* AIX
* AlphaOS
* Cygwin32
* HP-UX
* Irix
* Linux
* NextStep
* SCO
* SunOS 4
* SunOS 5.5
* Ultrix

Solution
This has been resolved in version 3.0.1rc14.
Further details available in Customer Area

Provided and/or discovered by
Gregory Duchemin and Solar Designer.

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area