Linux vendors have begun releasing fixes for two critical security bugs in a networking component that could allow a denial-of-service attack or enable an attacker to take control of a system.
The problem is with the Internet Systems Consortium's Dynamic Host Configuration Protocol (DHCP) 3 application, shipped with many Linux and Unix operating system distributions as a tool for transmitting configuration information across a network. Researchers discovered two flaws in the application that could allow a malicious user to crash systems running the DHCP Daemon, and possibly also to execute code with the privileges of the daemon process, which is typically root - the highest level of access.
The bugs mean that many Unix and Linux systems will be vulnerable at least to a denial-of-service attack, and possibly to more serious threats, researchers said. However, security firm Secunia said that in most cases only users on the local network will be able to exploit the bugs.
Only two versions of DHCP 3 are believed to be vulnerable, specifically version 3.0.1, release candidates (rc) 12 and 13. Earlier versions don't include the vulnerable code, and rc14 eliminates the problem, according to researchers at the US' Department of Homeland Security. "All versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code," said Jason Rafail, researcher at the United States Computer Emergency Readiness Team (US-CERT), part of Homeland Security, in an advisory. "However, versions other than ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 discard all but the last hostname option provided by the client, so it is not believed that these versions are exploitable."
US-CERT is tracking the progress of the vulnerability here.
Both bugs involve buffer overflows; the first, involving the way log lines are stored, can be exploited on any operating system, while the second, involving the vsnprintf() function, is only exploitable on a more limited range of systems including AIX, HP-UX and Linux, according to US-CERT's advisory. Linux vendors including Suse and MandrakeSoft have released patches fixing the versions of DHCP 3 included in their distributions.
Security problems aren't new to DHCP. In January of 2003, a version of ISC's DHCP 3 included in Red Hat and Suse Linux distributions was found to allow remote users to take control of systems. In December of last year Apple fixed a bug in Mac OS X's implementation of DHCP which could have allowed full access by a remote or local user.
As Linux continues to grow in popularity and market share, security researchers and potential attackers are increasing their scrutiny on the operating system's underlying code, with the result that more problems are inevitably coming to light, say industry observers. Microsoft has attempted to exploit this fact by showing open-source vendors' security efforts in an unfavourable light. This effort has been assisted by research such as Forrester Research's controversial "days of risk" study, which concluded that Linux vendors had on average taken longer than Microsoft to release patches - a conclusion hotly disputed by Linux companies.
Last week researchers warned of a flaw in the Linux kernel allowed a 20-line C program to crash most distributions using the 2.4 and 2.6 kernels running on x86 and x86-64 architectures, according to security researchers.
Recently Linux vendors were forced to distribute patches for a critical flaw in CVS, a widely used program for collaborating on software development, that could have allowed a malicious user unauthorised access to development code. The flaw found by E-Matters allows a user to exploit a "heap overflow" that could allow them to execute arbitrary code on the CVS server, according to Stefan Esser, chief security and technology officer at E-Matters.
Following the discovery of this bug, researchers decided to have a closer look at the CVS source code and discovered at least six more flaws, including one that could allow an attacker to take control of CVS from the Internet. The new flaws were recently announced publicly and several distributors have now released fixes.