Bug 6872 - dhcp new security issues CVE-2012-3570, CVE-2012-3571, and CVE-2012-3954
: dhcp new security issues CVE-2012-3570, CVE-2012-3571, and CVE-2012-3954
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/508291/
: MGA1TOO MGA2-32-OK MGA2-64-OK MGA1-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-26 18:20 CEST by David Walser
Modified: 2012-09-07 20:12 CEST (History)
9 users (show)

See Also:
Source RPM: dhcp
CVE:
Status comment:


Attachments

Description David Walser 2012-07-26 18:20:42 CEST
Mandriva has issued an advisory today (July 26):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:115

Mageia 1 and Mageia 2 are also affected.

Mandriva fixed it by updated to 4.2.4-P1, which fixes these issues.
Comment 1 David Walser 2012-07-26 22:55:37 CEST
Debian and Ubuntu have also issued advisories for this today:
http://lwn.net/Alerts/508283/
http://www.ubuntu.com/usn/usn-1519-1/
Comment 2 David Walser 2012-07-31 15:38:28 CEST
Fixed in Cauldron by Guillaume Rousse.
Comment 3 David Walser 2012-09-05 20:56:54 CEST
Updated package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated dhcp packages fix security vulnerabilities:

An unexpected client identifier parameter can cause the ISC DHCP
daemon to segmentation fault when running in DHCPv6 mode, resulting
in a denial of service to further client requests. In order to exploit
this condition, an attacker must be able to send requests to the DHCP
server (CVE-2012-3570).

An error in the handling of malformed client identifiers can cause
a DHCP server running affected versions (see Impact) to enter a
state where further client requests are not processed and the server
process loops endlessly, consuming all available CPU cycles. Under
normal circumstances this condition should not be triggered, but a
non-conforming or malicious client could deliberately trigger it in
a vulnerable server. In order to exploit this condition an attacker
must be able to send requests to the DHCP server (CVE-2012-3571).

Two memory leaks have been found and fixed in ISC DHCP. Both are
reproducible when running in DHCPv6 mode (with the -6 command-line
argument.) The first leak is confirmed to only affect servers
operating in DHCPv6 mode, but based on initial code analysis the
second may theoretically affect DHCPv4 servers (though this has not
been demonstrated.) (CVE-2012-3954).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3954
https://kb.isc.org/article/AA-00714
https://kb.isc.org/article/AA-00712
https://kb.isc.org/article/AA-00737
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:115
========================

Updated packages in core/updates_testing:
========================
dhcp-common-4.2.4-0.P1.1.mga1
dhcp-doc-4.2.4-0.P1.1.mga1
dhcp-server-4.2.4-0.P1.1.mga1
dhcp-client-4.2.4-0.P1.1.mga1
dhcp-relay-4.2.4-0.P1.1.mga1
dhcp-devel-4.2.4-0.P1.1.mga1
dhcp-common-4.2.4P1-1.1.mga2
dhcp-doc-4.2.4P1-1.1.mga2
dhcp-server-4.2.4P1-1.1.mga2
dhcp-client-4.2.4P1-1.1.mga2
dhcp-relay-4.2.4P1-1.1.mga2
dhcp-devel-4.2.4P1-1.1.mga2

from SRPMS:
dhcp-4.2.4-0.P1.1.mga1.src.rpm
dhcp-4.2.4P1-1.1.mga2.src.rpm
Comment 4 Dave Hodgins 2012-09-06 19:57:12 CEST
I'll be testing the server and client on both arches/releases
shortly.
Comment 5 Eduard Beliaev 2012-09-06 20:39:24 CEST
Works ok on Mageia 2 x86/i568.

Tested:
dhcp-client-4.2.4P1-1.1.mga2
dhcp-common-4.2.4P1-1.1.mga2
dhcp-doc-4.2.4P1-1.1.mga2
Comment 6 Dave Hodgins 2012-09-06 20:51:33 CEST
Testing complete on Mageia 1 and 2, i586 and x86-64.

For testing the server, I turned off the dhcp server in
my router.  With the dhcp-server configured in a vb
guest, used a Mageia 3 vb install, to test that the
dhcp server is working.  Repeated for all 4 Mageia 1
and 2 vb guests.

For testing the client, turned on the dhcp server in
my router, changed all 4 Mageia 1 and 2 vb guests to
use Automatic settings, instead of manual, and ensured
network restart assigned ip addresses in the correct
range.

Could someone from the sysadmin team push the srpm
dhcp-4.2.4P1-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
dhcp-4.2.4-0.P1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated dhcp packages fix security vulnerabilities:

An unexpected client identifier parameter can cause the ISC DHCP
daemon to segmentation fault when running in DHCPv6 mode, resulting
in a denial of service to further client requests. In order to exploit
this condition, an attacker must be able to send requests to the DHCP
server (CVE-2012-3570).

An error in the handling of malformed client identifiers can cause
a DHCP server running affected versions (see Impact) to enter a
state where further client requests are not processed and the server
process loops endlessly, consuming all available CPU cycles. Under
normal circumstances this condition should not be triggered, but a
non-conforming or malicious client could deliberately trigger it in
a vulnerable server. In order to exploit this condition an attacker
must be able to send requests to the DHCP server (CVE-2012-3571).

Two memory leaks have been found and fixed in ISC DHCP. Both are
reproducible when running in DHCPv6 mode (with the -6 command-line
argument.) The first leak is confirmed to only affect servers
operating in DHCPv6 mode, but based on initial code analysis the
second may theoretically affect DHCPv4 servers (though this has not
been demonstrated.) (CVE-2012-3954).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3954
https://kb.isc.org/article/AA-00714
https://kb.isc.org/article/AA-00712
https://kb.isc.org/article/AA-00737
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:115

https://bugs.mageia.org/show_bug.cgi?id=6872
Comment 7 Thomas Backlund 2012-09-07 20:12:13 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0256

Note You need to log in before you can comment on or make changes to this bug.