NetBSD Security Advisory: dhclient vulnerability
Jul 10, 2000, 22:34 (0 Talkback[s])
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
Date: Mon, 10 Jul 2000 12:15:33 -0400
Subject: NetBSD Security Advisory 2000-008
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2000-008
Topic: dhclient vulnerability
Severity: possible remote root access from rogue dhcp server.
The DHCP client program, dhclient(8), did not correctly handle DHCP
options it receives in DHCP response messages, possibly permitting a
rogue dhcp server to send maliciously formed options which resulted in
a remote root compromise.
dhclient uses a shell script, /etc/dhclient-script, to make changes to
system configurations based on configuration information received from
a DHCP server. Unfortunately, dhcp options values were passed from
dhclient to the script without sufficient quoting.
Maliciously formed messages could therefore exploit shell features to
trick the script into executing arbitrary shell commands. Since
dhclient-script needs to run as root to reconfigure system interfaces,
these arbitrary commands would also be executed as root.
Solutions and Workarounds
Systems running NetBSD-1.4.2 and prior may be vulnerable. Systems
running NetBSD-current from before 20000625 or NetBSD-release from
before 20000629 may be vulnerable.
If your system does not and will never run the "/sbin/dhclient" daemon
to dynamically obtain an IP address, your system is not vulnerable to
% ps auxww | grep dhclient
will show if dhclient is running on a system.
Systems running versions of NetBSD prior to 1.4 should be upgraded to
NetBSD 1.4.2 or a newer release.
If you are running any NetBSD 1.4.x release, you should download the
patch listed below, and apply it to src/usr.sbin/dhcp/client/options.c
using the patch(1) command. If you are running NetBSD-current or
NetBSD-release, you should update your source tree (with either sup or
In both cases you should then rebuild and reinstall DHCP:
% cd src/usr.sbin/dhcp
% make all
# make install
You should then kill off and restart any existing dhclient processes.
Patch for all releases of 1.4.x:
Todd Fries and others of OpenBSD (for discovery of the problem),
Jun-ichiro Hagino , and Ted Lemon of ISC.
2000/06/28 - Initial version.
2000/07/08 - Released
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and .http://www.NetBSD.ORG/Security/
Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2000-008.txt,v 1.2 2000/07/08 21:03:10 sommerfeld Exp $
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----