Bug 6872 - dhcp new security issues CVE-2012-3570, CVE-2012-3571, and CVE-2012-3954
Summary: dhcp new security issues CVE-2012-3570, CVE-2012-3571, and CVE-2012-3954
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/508291/
Whiteboard: MGA1TOO MGA2-32-OK MGA2-64-OK MGA1-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-07-26 18:20 CEST by David Walser
Modified: 2012-09-07 20:12 CEST (History)
9 users (show)

See Also:
Source RPM: dhcp
CVE:
Status comment:


Attachments

Description David Walser 2012-07-26 18:20:42 CEST
Mandriva has issued an advisory today (July 26):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:115

Mageia 1 and Mageia 2 are also affected.

Mandriva fixed it by updated to 4.2.4-P1, which fixes these issues.
David Walser 2012-07-26 18:20:54 CEST

CC: (none) => anssi.hannula

David Walser 2012-07-26 18:21:43 CEST

CC: (none) => pterjan

David Walser 2012-07-26 18:21:59 CEST

CC: (none) => thierry.vignaud

David Walser 2012-07-26 18:22:15 CEST

CC: (none) => dmorganec

David Walser 2012-07-26 18:22:35 CEST

CC: (none) => guillomovitch

Comment 1 David Walser 2012-07-26 22:55:37 CEST
Debian and Ubuntu have also issued advisories for this today:
http://lwn.net/Alerts/508283/
http://www.ubuntu.com/usn/usn-1519-1/

URL: (none) => http://lwn.net/Vulnerabilities/508291/

Comment 2 David Walser 2012-07-31 15:38:28 CEST
Fixed in Cauldron by Guillaume Rousse.

Version: Cauldron => 2
Whiteboard: (none) => MGA1TOO

David Walser 2012-08-02 23:36:36 CEST

Severity: normal => major

Comment 3 David Walser 2012-09-05 20:56:54 CEST
Updated package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated dhcp packages fix security vulnerabilities:

An unexpected client identifier parameter can cause the ISC DHCP
daemon to segmentation fault when running in DHCPv6 mode, resulting
in a denial of service to further client requests. In order to exploit
this condition, an attacker must be able to send requests to the DHCP
server (CVE-2012-3570).

An error in the handling of malformed client identifiers can cause
a DHCP server running affected versions (see Impact) to enter a
state where further client requests are not processed and the server
process loops endlessly, consuming all available CPU cycles. Under
normal circumstances this condition should not be triggered, but a
non-conforming or malicious client could deliberately trigger it in
a vulnerable server. In order to exploit this condition an attacker
must be able to send requests to the DHCP server (CVE-2012-3571).

Two memory leaks have been found and fixed in ISC DHCP. Both are
reproducible when running in DHCPv6 mode (with the -6 command-line
argument.) The first leak is confirmed to only affect servers
operating in DHCPv6 mode, but based on initial code analysis the
second may theoretically affect DHCPv4 servers (though this has not
been demonstrated.) (CVE-2012-3954).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3954
https://kb.isc.org/article/AA-00714
https://kb.isc.org/article/AA-00712
https://kb.isc.org/article/AA-00737
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:115
========================

Updated packages in core/updates_testing:
========================
dhcp-common-4.2.4-0.P1.1.mga1
dhcp-doc-4.2.4-0.P1.1.mga1
dhcp-server-4.2.4-0.P1.1.mga1
dhcp-client-4.2.4-0.P1.1.mga1
dhcp-relay-4.2.4-0.P1.1.mga1
dhcp-devel-4.2.4-0.P1.1.mga1
dhcp-common-4.2.4P1-1.1.mga2
dhcp-doc-4.2.4P1-1.1.mga2
dhcp-server-4.2.4P1-1.1.mga2
dhcp-client-4.2.4P1-1.1.mga2
dhcp-relay-4.2.4P1-1.1.mga2
dhcp-devel-4.2.4P1-1.1.mga2

from SRPMS:
dhcp-4.2.4-0.P1.1.mga1.src.rpm
dhcp-4.2.4P1-1.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Dave Hodgins 2012-09-06 19:57:12 CEST
I'll be testing the server and client on both arches/releases
shortly.

CC: (none) => davidwhodgins

Comment 5 Eduard Beliaev 2012-09-06 20:39:24 CEST
Works ok on Mageia 2 x86/i568.

Tested:
dhcp-client-4.2.4P1-1.1.mga2
dhcp-common-4.2.4P1-1.1.mga2
dhcp-doc-4.2.4P1-1.1.mga2

CC: (none) => ed_rus099

Comment 6 Dave Hodgins 2012-09-06 20:51:33 CEST
Testing complete on Mageia 1 and 2, i586 and x86-64.

For testing the server, I turned off the dhcp server in
my router.  With the dhcp-server configured in a vb
guest, used a Mageia 3 vb install, to test that the
dhcp server is working.  Repeated for all 4 Mageia 1
and 2 vb guests.

For testing the client, turned on the dhcp server in
my router, changed all 4 Mageia 1 and 2 vb guests to
use Automatic settings, instead of manual, and ensured
network restart assigned ip addresses in the correct
range.

Could someone from the sysadmin team push the srpm
dhcp-4.2.4P1-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
dhcp-4.2.4-0.P1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated dhcp packages fix security vulnerabilities:

An unexpected client identifier parameter can cause the ISC DHCP
daemon to segmentation fault when running in DHCPv6 mode, resulting
in a denial of service to further client requests. In order to exploit
this condition, an attacker must be able to send requests to the DHCP
server (CVE-2012-3570).

An error in the handling of malformed client identifiers can cause
a DHCP server running affected versions (see Impact) to enter a
state where further client requests are not processed and the server
process loops endlessly, consuming all available CPU cycles. Under
normal circumstances this condition should not be triggered, but a
non-conforming or malicious client could deliberately trigger it in
a vulnerable server. In order to exploit this condition an attacker
must be able to send requests to the DHCP server (CVE-2012-3571).

Two memory leaks have been found and fixed in ISC DHCP. Both are
reproducible when running in DHCPv6 mode (with the -6 command-line
argument.) The first leak is confirmed to only affect servers
operating in DHCPv6 mode, but based on initial code analysis the
second may theoretically affect DHCPv4 servers (though this has not
been demonstrated.) (CVE-2012-3954).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3954
https://kb.isc.org/article/AA-00714
https://kb.isc.org/article/AA-00712
https://kb.isc.org/article/AA-00737
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:115

https://bugs.mageia.org/show_bug.cgi?id=6872

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO => MGA1TOO MGA2-32-OK MGA2-64-OK MGA1-32-OK MGA1-64-OK

Comment 7 Thomas Backlund 2012-09-07 20:12:13 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0256

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.