Popular open source DHCP program open to hack attacks
Beware of rogue meta-characters
The makers of the internet's most popular open source DHCP program have warned that it's vulnerable to hacks that allow attackers to remotely execute malicious code on underlying machines.
The flaw, which is present in Internet Systems Consortium's DHCP versions prior to 3.1-ESV-R1, 4.1-ESV-R2, and 4.2.1-P1, stems from the program's failure to block commands that contain certain meta-characters. The vulnerability makes it possible for rogue servers on a targeted network to remotely execute malicious code on the client, the non-profit ISC warned on Tuesday.
ISC advises users to upgrade. Users can in some cases follow workarounds, which include disabling hostname updates or configuring their systems to access only legitimate DHCP servers in settings where access control lists are in place.
Short for Dynamic Host Configuration Protocol, DHCP is a system for automatically assigning computers IP addresses on a given network and helping administrators to keep track of those assignments. ISC says its DHCP program is the most widely used open source DHCP implementation on the Internet.
Sophos has more about the vulnerability here. ®
Minor point of advocacy order.
Yes, dnsmasq does two things, neither of them very well. It's more useful than the canned stuff you get in "stock" "home router" type devices. It does the baseline stuff nicely, and if that's all you want to do it's peachy fine. As soon as you want to do just about anything at all more, you're SOL. So it's sadly not nearly useful enough for me. As mundane as ISC's code is, it is amazingly versatile, both their DNS and DHCP implementations. No need to slag it for that.
But anyway, this flaw is in the client, not the server, so the discussion oughtn't arise. The real question is whether you trust your network; if there's a possibility it might host rogue servers (that almost by definition the admin _didn't_ put there, so it's a question of what sort of other people have access) you need to update the ISC DHCP _clients_ on it. So that probably starts with your laptop.
Wonder if any home routers effected
I wonder how many how routers are effected, suppose its one way to find out if there fully open source complient or if they snuck the code in there and said nothing.
But it's always the case, if i was on a totaly secure computer then you wouldn't be reading this now.
Titles are for fools
I know what you mean, many readers here have to deal with students who want to do the same thing, I've even seen a BThomehub plugged in because the user thought that they needed it to get the internet.