NetBSD Security Advisory 2009-011: ISC DHCP server Denial of Service vulnerability

[NetBSD Security Officer <security-officer%NetBSD.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2009-011
                 =================================

Topic:          ISC DHCP server Denial of Service vulnerability

Version:        NetBSD-current:         affected prior to 2009-07-16
                NetBSD 5.0:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected
                pkgsrc:                 isc-dhcpd package prior to 3.1.1p1

Severity:       Denial of Service

Fixed:          NetBSD-current:         Jul 16, 2009
                NetBSD-5-0 branch:      Jul 17, 2009
                NetBSD-5 branch:        Jul 17, 2009
                NetBSD-4-0 branch:      Jul 17, 2009
                NetBSD-4 branch:        Jul 17, 2009
                pkgsrc 2009Q2:          isc-dhcpd-3.1.1p1 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A reference counting error in dhcpd allows a remote attacker to cause
a daemon crash by submitting requests with the same client ID on
different interfaces served by the same daemon.

This vulnerability has been assigned CVE-2009-1892.


Technical Details
=================

A reference counting error in dhcpd allows a remote attacker to cause
a daemon crash by submitting requests with the same client ID on
different interfaces served by the same daemon.

This requires that client ID based configurations are mixed in the
configuration file with hardware address based configurations.


Solutions and Workarounds
=========================

In order to fix the vulnerability on your local machine, either
make sure that only client-id based statements or hardware ethernet
statements are used, or upgrade to a non-vulnerable version of
dhcpd.

The following instructions describe how to upgrade your dhcpd
binaries by updating your source tree and rebuilding and
installing a new version of dhcpd.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2009-07-16
        should be upgraded to NetBSD-current dated 2009-07-17 or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                dist/dhcp/server

        To update from CVS, re-build, and re-install lorem:
                # cd src
                # cvs update -d -P dist/dhcp/server
                # cd usr.sbin/dhcp
                # make USETOOLS=no cleandir dependall
                # cd server
                # make USETOOLS=no install

* NetBSD 5.*:

        Systems running NetBSD 5.* sources dated from before
        2009-07-17 should be upgraded from NetBSD 5.* sources dated
        2009-07-18 or later.

        The following files/directories need to be updated from the
        netbsd-5 or netbsd-5-0 branches:
                dist/dhcp/server

        To update from CVS, re-build, and re-install dhcpd:

                # cd src
                # cvs update -r <branch_name> -d -P dist/dhcp/server
                # cd usr.sbin/dhcp
                # make USETOOLS=no cleandir dependall
                # cd server
                # make USETOOLS=no install

* NetBSD 4.*:

        Systems running NetBSD 4.* sources dated from before
        2009-07-17 should be upgraded from NetBSD 4.* sources dated
        2009-07-18 or later.

        The following files/directories need to be updated from the
        netbsd-4 or netbsd-4-0 branches:
                dist/dhcp/server

        To update from CVS, re-build, and re-install dhcpd:

                # cd src
                # cvs update -r <branch_name> -d -P dist/dhcp/server
                # cd usr.sbin/dhcp
                # make USETOOLS=no cleandir dependall
                # cd server
                # make USETOOLS=no install


Thanks To
=========

Christoph Biedl for discovering and reporting the issue, and Florian
Weimer for the fix.


Revision History
================

        2009-07-28      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-011.txt,v 1.1 2009/07/28 18:29:29 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKb0iQAAoJEAZJc6xMSnBujKAP/14r5KM5VfyEfsLgrId7XiKY
Ms28lQ5i7gUI+0hfNPh7QbADIGCim0Gdn3XVybgVNWZcFWNOQWwQfRu+/2Zv9JeG
SLBUp+xJ7eqWxM66oZYvPK4csB18L/qZSWouHdDxA1z64+S8Qsn9pz6Y1hih/eoh
b1WWa9ZcE/7JxYINVCH4RKQIn7TRPWqLex1MWf3jGJafAH3XRpgfCWUbgkTB4CTU
xNahopXzt3Xpdmd8j9kRPzLnP7UEUOwQapcQAJ88tlMISNh5zbRuuxWHJGDwxM3l
pBm65TvItT2N+D2Z/4CkduK8Z1U7nM0pXR/amJOrrotK0kllLMhH+sYZ5lROLx8R
DFHuaDYxPQ0xOySVRc3rnPguatm27TB/BgSiFC/vEU030OXB90dboTDsnQhRn0WI
5jAfC1iKzq/fN6rMsKKaZ718En5lLV8Qcew29IGJUMS8vC5+PZ3yDHOSVXZiFjp0
r8RZj1EucuzJKYT5veqZ2SSSK14elvczclpyBir+GyhEuh9RLS71k/Td9DlsPrMR
XhE3V3/ygyQcBZJ69xn0QGlXHInMPc1aRNDxObg+511i8ugvpb6V71VFQOeF81/7
M7qqAl2W3ojMzHTISXUHRSICB3dyJ8jy9y9GFRpw6UkvUyskuGttYYhA85EuPexi
WVkLaq9xsgfSYqB9+71X
=PW6s
-----END PGP SIGNATURE-----