OpenBSD Journal

Security Fix: Malicious DHCP clients could cause dhcpd(8) to corrupt its stack

Contributed by merdely on from the dynamically-dynamic dept.

Patches are available for OpenBSD 4.1 (errata, patch) and OpenBSD 4.0 (errata, patch) a which addresses a possible dhcpd(8) stack corruption. This vulnerability affects all architectures.

From krw@'s commit to -current (and ckuethe@'s commits to OPENBSD_4_1 and OPENBSD_4_0):

"Minimum IP MTU" means what it says. Ensure that packets returned by
dhcpd are the minimum size or larger no matter what the client thinks
the minimum allowable size is. Found by Nahuel Riva and Gera Richarte.
Fix by millert@.

If you're using the stock dhcpd(8) server, update your systems.

Edit: A patch is also available for OpenBSD 4.2 (errata, patch).

(Comments are closed)


Comments
  1. By Brynet (Brynet) on

    OpenBSD 4.2 was also effected by this, Shouldn't it be noted?

    Comments
    1. By Anonymous Coward (85.178.110.179) on

      > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?

      Then you would have to add a OpenSSL Patch I'm still waiting for (to get included even! It's in the tree just not for us :D ) and other things (like the little corruption with the nic of this vendor I can#t remmeber.. should also get included into 4.2).

    2. By Brad (2001:4830:122b:3:216:41ff:fe17:6933) brad at comstyle dot com on

      > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?

      This is the same god damn thing that happens every release! 4.2 hasn't been released yet!

      Comments
      1. By Anonymous Coward (216.9.200.69) on

        > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
        >
        > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!

        Amen to that.

        For the impatient, note that it does appear on the as-yet-nonexistant-but-there-anyway http://www.openbsd.org/errata42.html

      2. By Anonymous Coward (85.178.110.179) on

        > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
        >
        > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!

        Bullshit...
        The people with preorders have maybe set upa a Firewall or a Server with 4.2 already!

        Sure for the whole "public" it isn't released but what's wrong about commiting patches to the CVS?

        Stop bitching about that.. thanks!
        You've to add the Patches for OpenSSL.
        And.. do BufferOverflows in CWM count as "bug"?

        Comments
        1. By Anonymous Coward (38.99.3.113) on

          > > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
          > >
          > > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!
          >
          > Bullshit...
          > The people with preorders have maybe set upa a Firewall or a Server with 4.2 already!

          and they should know that the patches come out later, EVERY SINGLE RELEASE.

          Comments
          1. By Anonymous Coward (85.178.73.113) on

            > > > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
            > > >
            > > > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!
            > >
            > > Bullshit...
            > > The people with preorders have maybe set upa a Firewall or a Server with 4.2 already!
            >
            > and they should know that the patches come out later, EVERY SINGLE RELEASE.

            And YOU got your 4.1,4.0 and 3.9 WITHOUT OpenSSL or what?
            It was not the point to talk about 4.2 only. Please notice that!
            The Bug affects also other OpenBSD versions.

            Comments
            1. By tedu (204.14.154.69) on

              > > > > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
              > > > >
              > > > > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!
              > > >
              > > > Bullshit...
              > > > The people with preorders have maybe set upa a Firewall or a Server with 4.2 already!
              > >
              > > and they should know that the patches come out later, EVERY SINGLE RELEASE.
              >
              > And YOU got your 4.1,4.0 and 3.9 WITHOUT OpenSSL or what?
              > It was not the point to talk about 4.2 only. Please notice that!
              > The Bug affects also other OpenBSD versions.

              what does openssl have to do with dhcpd?

              and so what if 4.1 is affected? there's a patch for 4.1.

        2. By Brad (2001:4830:122b:3:216:41ff:fe17:6933) brad at comstyle dot com on

          > > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
          > >
          > > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!
          >
          > Bullshit...

          No. The release is on Nov 1st.

          > The people with preorders have maybe set upa a Firewall or a Server with 4.2 already!

          This a PRE-ORDER. *BEFORE* the release.

          This is the risk you are taking.

          > Sure for the whole "public" it isn't released but what's wrong about commiting patches to the CVS?

          This is the same process used for EVERY release. It won't change this release.

          > Stop bitching about that.. thanks!

          Get a clue.

          Comments
          1. By Anonymous Coward (24.22.214.92) on

            > This a PRE-ORDER. *BEFORE* the release.
            >
            > This is the risk you are taking.

            So the CD-ROMs that people have received purposely contain an unreliable, unusable operating system, but they will magically switch to becoming a perfectly good operating system on November 1?

            The CDs are exactly the same weather you open them now or on Nov 1. There's no point arguing about it, people are going to use the software that they have received.

            Comments
            1. By Shane J Pearson (203.20.79.132) on

              > > This a PRE-ORDER. *BEFORE* the release.
              > >
              > > This is the risk you are taking.
              >
              > So the CD-ROMs that people have received purposely contain an unreliable, unusable operating system, but they will magically switch to becoming a perfectly good operating system on November 1?
              >
              > The CDs are exactly the same weather you open them now or on Nov 1. There's no point arguing about it, people are going to use the software that they have received.

              I beleive the risk Brad is talking about, is choosing to install a system before it becomes supported.

              So go ahead and install the instant you get your CD's, before the release date, but do it on a test system only. If you choose to update a production system to what is essentially unsupported software, then you're taking a risk.

              Comments
              1. By Anonymous Coward (85.178.73.113) on

                > > > This a PRE-ORDER. *BEFORE* the release.
                > > >
                > > > This is the risk you are taking.
                > >
                > > So the CD-ROMs that people have received purposely contain an unreliable, unusable operating system, but they will magically switch to becoming a perfectly good operating system on November 1?
                > >
                > > The CDs are exactly the same weather you open them now or on Nov 1. There's no point arguing about it, people are going to use the software that they have received.
                >
                > I beleive the risk Brad is talking about, is choosing to install a system before it becomes supported.
                >
                > So go ahead and install the instant you get your CD's, before the release date, but do it on a test system only. If you choose to update a production system to what is essentially unsupported software, then you're taking a risk.

                Even MS provides a better "support"....
                No matter what you may think about them: They made VISTA RTM and released patches before it got shiped.

                Please no jokes about MS now: Fact is: If a Patch is needed and avaiable it shouldn't get delayed.

                And btw: Should we wait with Bug-Reports after Nov the 1st?!
                I don't share your point of view but I'm not gonna say "You're wrong".
                Well in some countries are october Hollidays so people may prefere to upgrade a Firewall or whatever in this time if they got a copy already (CD-Set). That's not realy a issue about the "I will install a non supported OS" but about having the spare time to do so.

                So there arguments for Installing OpenBSD even before November the first.

                That are just my 2 cents.

                Comments
                1. By Anonymous Coward (218.214.194.113) on


                  > Even MS provides a better "support"....
                  > No matter what you may think about them: They made VISTA RTM and released patches before it got shiped.
                  >
                  > Please no jokes about MS now: Fact is: If a Patch is needed and avaiable it shouldn't get delayed.

                  >
                  > And btw: Should we wait with Bug-Reports after Nov the 1st?!
                  > I don't share your point of view but I'm not gonna say "You're wrong".
                  > Well in some countries are october Hollidays so people may prefere to upgrade a Firewall or whatever in this time if they got a copy already (CD-Set). That's not realy a issue about the "I will install a non supported OS" but about having the spare time to do so.
                  >
                  > So there arguments for Installing OpenBSD even before November the first.
                  >
                  > That are just my 2 cents.

                  And it's 2 cents too much.

                  Anybody who has the CDs has the source code. Anybody who has the source and the patch can compile the fix right now. Particularly seeing that it is a tiny patch on one executable (dhcpd).

                  That's no different now than post Nov 1.

                  Comments
                  1. By Old3n (192.6.19.202) on

                    > Anybody who has the CDs has the source code. Anybody who has the source and the patch can compile the fix right now.

                    ...except, you have to know about it, and realize that the problem impacts you as well.
                    When seeing an announcement (or a fix in CVS) that applies to 4.0 and 4.1 only, how many 4.2 CD owners are going to think they need to patch too?

                2. By sthen (85.158.44.149) on

                  > Please no jokes about MS now: Fact is: If a Patch is needed and avaiable it shouldn't get delayed.

                  I don't think your research is detailed enough to decide if a patch is needed.

                3. By Anonymous Coward (64.81.82.25) on

                  > So there arguments for Installing OpenBSD even before November the first.
                  >
                  > That are just my 2 cents.

                  You're over charging by at least 3 cents.

        3. By sthen (85.158.44.149) on

          > > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
          > >
          > > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!
          >
          > The people with preorders have maybe set upa a Firewall or a Server with 4.2 already!

          Firewall: wtf are untrusted users doing on it?
          Firewall/server: cwm - you're joking, right?

          > You've to add the Patches for OpenSSL.

          You didn't read Aciicmez/Schindler paper yet, did you? - try around pp 4.1. Show something running in a separate process (or better, in a separate process on a busy server) that can take advantage of this and you've got a good case for getting it in early.

      3. By Old3n (192.6.19.202) om_undeadly.org-07a (spiral-goes-here) olden.ch on

        > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?

        Definitely. Positively.

        > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!

        Sorry, this doesn't make any sense. Brad, I don't know what you call a 'release', but most people would I'm sure agree that once software is pressed on CDs and *ships* in volume, it is effectively released.

        My CD pack was postmarked 28 Sept (BTW, great job on that, guys. Thanks!). It is labeled 4.2 and neither this nor the CDs content is not going to change by 1 Nov somehow.
        Should a security problem affecting this release become apparent, it is I think legitimate for potentially impacted users like myself to expect open communication about it. In particular, if an announcement is made about the issue because it affects previous releases, it is deceitful to withhold the fact it also affects the current, shipping release.

        Deliberately concealing or delaying security information like this could only be counter-productive and detrimental to the reputation of the project and possibly its developers.

    3. Comments
      1. By Brynet (Brynet) on

        > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
        >
        > http://www.openbsd.org/errata42.html#001_dhcpd
        >
        > You were saying?

        That's why I posted... I noticed it when patching my 4.1 systems.

        What I meant was, shouldn't it be noticed in "this" announcement..

        > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
        >
        > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!

        There is no need to complain, shit happens... sane people should always follow -STABLE anyway.

        Comments
        1. By Anonymous Coward (85.178.110.179) on

          > > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
          > >
          > > http://www.openbsd.org/errata42.html#001_dhcpd
          > >
          > > You were saying?
          >
          > That's why I posted... I noticed it when patching my 4.1 systems.
          >
          > What I meant was, shouldn't it be noticed in "this" announcement..
          >
          > > > OpenBSD 4.2 was also effected by this, Shouldn't it be noted?
          > >
          > > This is the same god damn thing that happens every release! 4.2 hasn't been released yet!
          >
          > There is no need to complain, shit happens... sane people should always follow -STABLE anyway.

          Well.. www.openbsd.org/plus.html

          These things are avaiable in current but not for any other BSD (some may just affect 4.2)

          -> Fix in OpenSSL for CVE-2007-3108.
          http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3108

          -> Fix buffer overflow in cwm(1)

          Things wich "may" would be nice:
          -> Update tht(4) microcode to SNIC 0xf. Fixes UDP reception issues.
          -> Fix ep(4) packet header initialization.

          So following stable is a good advise but f.e. the OpenSSL Patch and the Patch for CWM are not included. The OpenSSL Patch may would be specialy interesting for 3.9 users who may just can't update every year. But now the developers may come up with the argument "well 4.2 is out, good bye 3.9" even the Patch was avaiable earlier.

          Comments
          1. By olli hauer (194.231.39.124) on

            > So following stable is a good advise but f.e. the OpenSSL Patch and the Patch for CWM are not included. The OpenSSL Patch may would be specialy interesting for 3.9 users who may just can't update every year. But now the developers may come up with the argument "well 4.2 is out, good bye 3.9" even the Patch was avaiable earlier.

            I can understand you and also the developers but I think nobody really risk a view to the source!

            Just take a look to the cvsweb interface here and here and you will see it is even possible for you to backport this patch to OpenBSD 3.7 with minimal work
            So where is the problem?

            Something my trainies learn is:
             - if you think you found a bug look at the last development state
             - try to fix the bug and send patches or ask for a patch
             - if you miss a feature and it is usefull implement it and send patches
              ...

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]