severity 820069 important tags 820069 security I was hit by this bug last night. After plugging a new Internet provider into my local network, my Debian router automatically added an IP address and default route to the new device. This resulted in my entire home's Internet access being disrupted as the router tried to route traffic via the new device. What's worse is that when the default route is removed it's automatically added back.
dhcpcd is STILL bringing up this interface even after disabling the DHCP server on the AT&T device. The IP address that dhcpcd added is not visible in ifconfig. It only shows up when you run 'ip addr list'. This is very serious security bug. This bug could easily be exploited by an attacker to force routing of traffic via the attacker's device. Relevant logs/config files: Jan 17 03:56:32 raspberrypi dhcpcd[16922]: eth0: Router Advertisement from fe80:[removed] Jan 17 03:56:32 raspberrypi dhcpcd[16922]: eth0: adding address [removed ipv6 address] Jan 17 03:56:32 raspberrypi dhcpcd[16922]: eth0: soliciting a DHCPv6 lease Jan 17 03:56:35 raspberrypi dhcpcd[16922]: eth0: leased 192.168.1.67 for 86400 seconds Jan 17 03:56:35 raspberrypi dhcpcd[16922]: eth0: adding route to 192.168.1.0/24 Jan 17 03:56:35 raspberrypi dhcpcd[16922]: eth0: adding default route via 192.168.1.254 /etc/network/interfaces.d/eth0 ============================== auto eth0 iface eth0 inet static address [removed] netmask 255.255.255.0 auto eth0:0 allow-hotplug eth0:0 iface eth0:0 inet static address 192.168.1.1 netmask 255.255.255.0 /etc/dhcpcd.conf =============== ddns-update-style none; default-lease-time 600; max-lease-time 7200; authoritative; log-facility local7; subnet [removed] netmask 255.255.255.0 { range [removed] [removed]; option broadcast-address [removed]; option routers [removed]; default-lease-time 600; max-lease-time 7200; option domain-name "local-network"; option domain-name-servers 8.8.8.8, 8.8.4.4; } interface eth0 static ip_address [removed] static domain_name_servers=8.8.8.8 8.8.4.4