Send dhcp-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. The ISC DHCP Client Can be Used to Deliver Bash-Bug Payload
(Michael McNally)
----------------------------------------------------------------------
Message: 1
Date: Fri, 26 Sep 2014 12:09:13 -0800
From: Michael McNally <[email protected]>
To: Users of ISC DHCP <[email protected]>
Subject: The ISC DHCP Client Can be Used to Deliver Bash-Bug Payload
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
A message from Internet Systems Consortium (ISC) to our DHCP client
(dhclient) users:
As most of you are no doubt aware, this week saw the disclosure
of a very serious security flaw in the "Bourne-again Shell", bash.
(see: CVE-2014-6271, and CVE-2014-7169)
The flaw allows remote execution of arbitrary commands by the
shell if an attacker can cause data to be passed to the shell as
the value of a shell environment variable.
Despite reports to the contrary saying that a 2011 change
(CVE-2011-0997) to dhclient prevents exploitation of this flaw,
ISC has confirmed that the DHCP client provided as a part of
ISC DHCP can be used to exploit the bash vulnerability if the
operator of a rogue DHCP server passes a specially constructed
value as the payload of a DHCP option field.
For this and many other reasons, all users running a vulnerable
version of bash are advised to update to a secured version as
quickly as possible.
Michael McNally
ISC Support
Postscript:
Readers will naturally want to know whether other ISC products
can be used to exploit this condition. We know of no vulnerability
in the ISC DHCP server or in BIND that can be used as a vector
to exploit the bash flaw, and many users do not use the affected
DHCP client (instead configuring statically or using the client
provided by their OS maintainer.) We nevertheless strongly recommend
that the best course of action is to upgrade to a secure version
of bash due to the seriousness of this flaw.
Related links:
https://kb.isc.org/article/AA-00455/75/CVE-2011-0997
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
------------------------------
_______________________________________________
dhcp-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/dhcp-users
End of dhcp-users Digest, Vol 71, Issue 17
******************************************
