Control: severity -1 important Control: tags -1 = security Hey.
Still cannot believe that this hasn't been dealt with after so many years... o.O As explained previously, dhclient doesn't seem to allow to disable certain security relevant options from being received (and configured) from the server. For example, even when setting: request subnet-mask, broadcast-address, time-offset, routers, domain-name-servers, dhcp6.name-servers, dhcp6.fqdn, netbios-name-servers, netbios-scope, interface-mtu, rfc3442-classless-static-routes; It would still take ntp servers, domain search path, etc. from the server if that offers it. These values however are quite security critical. A rogue DHCP server may direct any client (e.g. a notebook connected to any public network) to use a evil NTP server, which could ultimately lead to a wrong system time being set, which in turn could lead to expired certificates, software updates, etc. being used. Similar, playing around with the domain search path could trick a system into using/trusting/etc. the wrong names. supersede isn't really of any help here since a) it doesn't seem to properly work in all places, and b) one cannot use it do just "unset" a server provided value (i.e. using the empty string or so doesn't work). I just stumbled over this issue again, when we observed a successful attack on two of our institutes notebooks. Turned out in the end that their time/date must have been influenced maliciously... Michael, I've seen you've removed important, security and added unreproducible without any further explanations... o.O Adding these back, as the above examples clearly show that this can be exploited,... further removing unreproducible as it was even confirmed before by Felix and reproduction seems straight-forward. Cheers, Chris.

