OpenBSD closes vulnerability in DHCP server
Security service provider Core Security has reported the discovery of a vulnerability in the OpenBSD DHCP server (dhcpd). Attackers could cause the service to crash in local networks by means of specially crafted DHCP requests A buffer overflow occurs in the function cons_options in src/usr.sbin/dhcpd/options.c when handling of improper values for the maximum message size.
One of the results is that clients are no longer automatically assigned a new IP address. Core Security says that the flaw cannot be exploited to inject code. A similar flaw was also recently reported in the DHCP server used by VMware. According to the security advisory, the implementation in VMware is also based on that in OpenBSD. OpenBSD versions 4.0, 4.1, and 4.2 are affected. A patch has been released to remedy the problem.
- OpenBSD 4.0 release errata & patch list, overview at OpenBSD
- Stack-based buffer overflow vulnerability in OpenBSD?s DHCP server, security advisory at Core Security
(mba)