发布时间 :2006-08-09 18:04:00
修订时间 :2011-06-13 00:00:00

[原文]The supersede_lease function in memory.c in ISC DHCP (dhcpd) server 2.0pl5 allows remote attackers to cause a denial of service (application crash) via a DHCPDISCOVER packet with a 32 byte client-identifier, which causes the packet to be interpreted as a corrupt uid and causes the server to exit with "corrupt lease uid."

[CNNVD]ISC DHCP Server 'memory.c' supersede_lease()远程拒绝服务漏洞(CNNVD-200608-173)

        ISC DHCP是一款动态主机配置协议服务器软件。
        ISC DHCP服务器在处理畸形请求时存在漏洞,远程攻击者可能利用此漏洞对服务器执行拒绝服务攻击,导致DHCP服务器崩溃。
        ISC DHCP软件memory.c中的supersede_lease()函数在处理DHCPOFFER报文中的选项时存在问题,远程攻击者可以通过一个32字节长的客户端标志选项字段导致服务器崩溃。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  19348
(UNKNOWN)  OPENBSD  [3.9] 20060825 006: SECURITY FIX: August 25, 2006

- 漏洞信息

ISC DHCP Server 'memory.c' supersede_lease()远程拒绝服务漏洞
中危 边界条件错误
2006-08-09 00:00:00 2006-08-31 00:00:00
        ISC DHCP是一款动态主机配置协议服务器软件。
        ISC DHCP服务器在处理畸形请求时存在漏洞,远程攻击者可能利用此漏洞对服务器执行拒绝服务攻击,导致DHCP服务器崩溃。
        ISC DHCP软件memory.c中的supersede_lease()函数在处理DHCPOFFER报文中的选项时存在问题,远程攻击者可以通过一个32字节长的客户端标志选项字段导致服务器崩溃。

- 公告与补丁


- 漏洞信息 (F49044)

Debian Linux Security Advisory 1143-1 (PacketStormID:F49044)
2006-08-18 00:00:00

Debian Security Advisory 1143-1 - Justin Winschief and Andrew Steets discovered a bug in dhcp, the DHCP server for automatic IP address assignment, which causes the server to unexpectedly exit.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1143-1                                       Martin Schulze
August 4th, 2006              
- --------------------------------------------------------------------------

Package        : dhcp
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2006-3122
Debian Bug     : 380273

Justin Winschief and Andrew Steets discovered a bug in dhcp, the DHCP
server for automatic IP address assignment, which causes the server to
unexpectedly exit.

For the stable distribution (sarge) this problem has been fixed in
version 2.0pl5-19.1sarge2.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your dhcp package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:
      Size/MD5 checksum:      687 f73fef2e9996c07f813e8b44cf058fed
      Size/MD5 checksum:    86660 931619c25909dde0f8278502d089a509
      Size/MD5 checksum:   294909 ab22f363a7aff924e2cc9d1019a21498

  Alpha architecture:
      Size/MD5 checksum:   123178 1d36fdc0bdee24e63ddd68290de55d42
      Size/MD5 checksum:   115486 bf17b3f6d1d23a4f24f63dc8dee47c4f
      Size/MD5 checksum:    80526 c23b5a983212426881e79e42abb08103

  AMD64 architecture:
      Size/MD5 checksum:   116010 53d3be3b942892ff1a0cc641152a7c0b
      Size/MD5 checksum:   108676 99eaef8f0c56b81b28e09bf2040dbfe5
      Size/MD5 checksum:    75952 170a4701d80b295679e605cfc56fb955

  ARM architecture:
      Size/MD5 checksum:   114428 e220cadbd5250f55e7a88a8df95ea487
      Size/MD5 checksum:   107212 3a73115a056708b9a6190cbda179ce18
      Size/MD5 checksum:    74422 fdfdb05b69c11736c16a6aea1d8c0aa4

  Intel IA-32 architecture:
      Size/MD5 checksum:   109440 ca711b93042d11f8b5c853c3f648242a
      Size/MD5 checksum:   102220 558d78e22d1f4f909b718c46baa09cc4
      Size/MD5 checksum:    71330 6d5c42ff7f481df025b687b3969a6c25

  Intel IA-64 architecture:
      Size/MD5 checksum:   144842 fe2d7f0eb45fba721e616f25dcdf29bb
      Size/MD5 checksum:   136910 2ab43f384602792ae905ed00ee0b3465
      Size/MD5 checksum:    92922 c87307ed1d553b3309c9d8f5b9a71783

  HP Precision architecture:
      Size/MD5 checksum:   116134 49852e02e411112adb6ad7acdee24c31
      Size/MD5 checksum:   109042 6c117a4f8bb1cb0cf74f3e92baaf20e1
      Size/MD5 checksum:    76740 6cc2f2822a7aa36b18eaaaae453d96a9

  Motorola 680x0 architecture:
      Size/MD5 checksum:   108782 fb3680aa3ea521fb4e77642cc47ac102
      Size/MD5 checksum:   101672 9d6d600f9eecb2cda48c5f632e06bdf1
      Size/MD5 checksum:    71418 79acf1203e75efb88a6216a8ed8d7a5b

  Big endian MIPS architecture:
      Size/MD5 checksum:   118566 c1b9855f7bb152ef9e8086a9631a4759
      Size/MD5 checksum:   111614 b22335a1a584a6e03622f92672d564af
      Size/MD5 checksum:    78014 cd698721ca4b076f4021c38e555301c1

  Little endian MIPS architecture:
      Size/MD5 checksum:   118140 0b08da85c43ad35c296a1554bbea0040
      Size/MD5 checksum:   111074 bf434314d3726fc72f1ba520019ad3e5
      Size/MD5 checksum:    77664 65e41b021840dd87d5cc776076ca5f92

  PowerPC architecture:
      Size/MD5 checksum:   112540 0b83ec51591c3d2fc892cef08c25658d
      Size/MD5 checksum:   105446 e80540790b43f62d39d8e8ecccf06196
      Size/MD5 checksum:    73954 ae82323f9af86e64f809cb07165df9c4

  IBM S/390 architecture:
      Size/MD5 checksum:   116578 45547a0804c240a48f90087d19e79b7a
      Size/MD5 checksum:   109366 8915a41a56e4d96080f937ec4e253381
      Size/MD5 checksum:    76834 55b285d1b7fa0cf81f3869441d576f16

  Sun Sparc architecture:
      Size/MD5 checksum:   113842 3800bc8307455eff6a3b38e820c5409f
      Size/MD5 checksum:   106432 921b89e0c14344507cdf3272bc1e0c96
      Size/MD5 checksum:    74860 312464adc38738ae26352b79c270109d

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.4.3 (GNU/Linux)



- 漏洞信息

ISC DHCP Server supersede_lease() Function DHCPDISCOVER Packet Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Vendor Verified

- 漏洞描述

- 时间线

2006-07-28 Unknow
Unknow Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ISC Memory.C DHCP Server Denial Of Service Vulnerability
Boundary Condition Error 19348
Yes No
2006-08-04 12:00:00 2006-10-24 11:33:00
Justin Winschief and Andrew Steets have been credited with the discovery of this vulnerability.

- 受影响的程序版本

Xerox WorkCentre Pro 275
Xerox WorkCentre Pro 265
Xerox WorkCentre Pro 255
Xerox WorkCentre Pro 245
Xerox WorkCentre Pro 238
Xerox WorkCentre Pro 232
Xerox WorkCentre 275
Xerox WorkCentre 265
Xerox WorkCentre 255
Xerox WorkCentre 245
Xerox WorkCentre 238
Xerox WorkCentre 232
Xerox Document Centre 555
Xerox Document Centre 545
Xerox Document Centre 535
Xerox Document Centre 490 ST
Xerox Document Centre 490
Xerox Document Centre 480 ST
Xerox Document Centre 480 DC
Xerox Document Centre 480
Xerox Document Centre 470 ST
Xerox Document Centre 470
Xerox Document Centre 460 ST
Xerox Document Centre 460
Xerox Document Centre 440 ST
Xerox Document Centre 440 DC
Xerox Document Centre 440
Xerox Document Centre 432 ST
Xerox Document Centre 432
Xerox Document Centre 430
Xerox Document Centre 426
Xerox Document Centre 425 ST
Xerox Document Centre 425
Xerox Document Centre 420 ST
Xerox Document Centre 420
Xerox Document Centre 340 ST
Xerox Document Centre 340
Xerox Document Centre 332 ST
Xerox Document Centre 332
Xerox Document Centre 265 ST
Xerox Document Centre 265
Xerox Document Centre 255 ST
Xerox Document Centre 255
Xerox Document Centre 240 ST
Xerox Document Centre 240
Xerox Document Centre 230 ST
Xerox Document Centre 230
Xerox Document Centre 220 ST
Xerox Document Centre 220
OpenBSD OpenBSD 3.9
OpenBSD OpenBSD 3.8
ISC DHCPD 2.0.pl5
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha

- 漏洞讨论

ISC DHCP server is prone to a denial-of-service vulnerability. This issue occurs when an automatic IP address is assigned to a system.

An attacker can exploit this issue to crash the DHCP server, causing a denial-of-service condititon.

This issue affects version 2 releases of DHCP; version 3 releases are reportedly not affected.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

The vendor has released an advisory to address the issue. The vendor has also stated that DHCP 2.x is end-of-life software, so users may want to upgrade to a current version. Please see the referenced advisories for more information.

OpenBSD OpenBSD 3.9

OpenBSD OpenBSD 3.8

ISC DHCPD 2.0.pl5

- 相关参考