|
|
Log in / Subscribe / Register

dhcp3 - ignored counter boundary

Package(s):dhcp3 CVE #(s):CAN-2003-0039
Created:January 28, 2003 Updated:April 5, 2003
Description: Florian Lohoff discovered a bug in the dhcrelay causing it to send a continuing packet storm towards the configured DHCP server(s) in case of a malicious BOOTP packet, such as sent from buggy Cisco switches.

When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s).

This patch introduces a new commandline switch ``-c maxcount'' and people are advised to start the dhcp-relay with ``dhcrelay -c 10'' or a smaller number, which will only create that many packets.

The dhcrelay program from the ``dhcp'' package does not seem to be affected since DHCP packets are dropped if they were apparently relayed already.

Alerts:
Conectiva CLA-2003:616 dhcp 2003-04-04
Red Hat RHSA-2003:034-01 dhcp 2003-03-31
OpenPKG OpenPKG-SA-2003.012 dhcpd 2003-02-19
Debian DSA-245-1 dhcp3 2003-01-28
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds