=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN293
_____________________________________________________________________

DATE                      : 06/04/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running ISC DHCP versions 3.0.x up to 4.2.x
                              prior to to 3.1-ESV-R1, 4.1-ESV-R2 or 4.2.1-P1.

======================================================================
https://www.isc.org/software/dhcp/advisories/cve-2011-0997
______________________________________________________________________

       Internet Systems Consortium Security Advisory

Title: dhclient does not strip or escape shell meta-characters

Summary:
dhclient doesn't strip or escape certain shell meta-characters in
dhcpd responses, allowing a rogue server or party with with escalated
privileges on the server to cause remote code execution on the client.

CVE: CVE-2011-0997
CERT: VU# 107886
Posting date: 5 Apr 2011 (Phased notification April 4)
Program Impacted: DHCP
Versions affected: 3.0.x-4.2.x
Severity: Medium
Exploitable: remotely

Description:

ISC dhclient did not strip or escape certain shell meta-characters in
responses from the dhcp server (like hostname) before passing the
responses on to dhclient-script. Depending on the script and OS, this
can result in execution of exploit code on the client.

CVSS Score: 6.8 (AV:A/AC:L/Au:N/C:P/I:N/A:C)

For more information on CVSS scores, visit
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Workarounds:

On SUSE systems, it is possible to disable hostname update by setting
DHCLIENT_SET_HOSTNAME="no" in /etc/sysconfig/network/dhcp.

Other systems may add following line to dhclient-script at the beginning
of the set_hostname() function:

  new_host_name=${new_host_name//[^a-zA-Z0-9]/}

In environments where filters/acls can be put into place to limit clients
to accessing only legitimate dhcp servers, this will protect clients
from rogue dhcp servers deliberately trying to exploit this bug. However,
this will not protect from compromised servers.

Active exploits:

None known at this time.

Solution:

Upgrade to 3.1-ESV-R1, 4.1-ESV-R2 or 4.2.1-P1.

Acknowledgments:

Sebastian Krahmer and Marius Tomaschewski, SUSE Security Team

Revisions:
Mar29-Updated CVSS score

Questions regarding this advisory or ISC's Support services should be
sent to dhcp-bugs@isc.org


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================