Security Release: DHCP 4.2.0-P2 is now available

Fri Dec 10 21:05:11 UTC 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	ISC DHCP 4.2-P2 is now available for download.

This is a SECURITY release of ISC DHCP 4.2, and fixes one security
related bug.  The security advisory is included below.

A list of the changes in this release has been appended to the end
of this message.  For a complete list of changes from any previous
release, please consult the RELNOTES file within the source
distribution, or on our website:

    http://www.isc.org/software/dhcp

This release, and its OpenPGP-signatures are available now from:

    ftp://ftp.isc.org/isc/dhcp/dhcp-4.2.0-P2.tar.gz
    ftp://ftp.isc.org/isc/dhcp/dhcp-4.2.0-P2.tar.gz.sha512.asc
    ftp://ftp.isc.org/isc/dhcp/dhcp-4.2.0-P2.tar.gz.sha256.asc
    ftp://ftp.isc.org/isc/dhcp/dhcp-4.2.0-P2.tar.gz.sha1.asc

ISC's Release Signing Key can be obtained at:

    http://www.isc.org/about/openpgp/

                       Changes since 4.2.0-P1

! Fix the handling of connection requests on the failover port.
  Previously a connection request from a source that wasn't
  listed as a failover peer would cause the server to become
  non-responsive.  [ISC-Bugs #22679]
  CERT: VU#159528 CVE: CVE-2010-3616

Security Advisory:

DHCP: Server Hangs with TCP to Failover Peer Port

Summary:
If a server receives a TCP connection on a port that has been configured
for communication with a failover peer, this can cause it to become
non-responsive to all normal DHCP protocol traffic.

CVE: CVE-2010-3616
CERT: VU#159528
Posting date: 10 Dec 2010
Program Impacted: DHCP
Versions affected: 4.2
Severity: High
Exploitable: remotely

Description:

If a TCP connection is established to the server on a port which has
been configured for communication with a failover peer, this can cause
it to become non-responsive to all normal DHCP protocol traffic.  The
server will progress to a communications-interrupted state - but in
addition will also cease to provide DHCP services to clients.  The
server must be restarted to resume normal operation.

CVSS: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
(for more on CVSS scores and to calculate your environment's
specific risk, please visit:
http://nvd.nist.gov/cvss.cfm?calculator&version=2)

Impact and Risk Assessment: This can be used as an attack vector against
servers that are configured for failover partnerships

Workarounds:

Users running DHCP servers in failover configurations may be able to
minimise the risk to TCP ports used for peer-peer DHCP server
communication by careful packet filtering on the hosts and network
gateways that limits access to traffic between the configured failover
peers - but ideally they should upgrade.  (Regardless of which version
of DHCP is deployed, users are advised that it is good security practice
to limit traffic to their omapi and failover ports via packet filters,
firewalls etc.)

Active exploits:

None known at this time.  Issue found by a user and reported via the
dhcp-users community mailing list, therefore consider this vulnerability
public.

Solution:

Upgrade DHCP to 4.2.0-P2.

Acknowledgment: Brad Bendily, for finding and testing
the problem.

For more information please check the latest advisory update here:

https://www.isc.org/software/dhcp/advisories/cve-2010-3616
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNApX2AAoJEBOIp87tasiUEDEH/2mErUSiL5JYnc5kfBz3/AGz
JNvDZfx7ydZyBpVjhyRdFcg4RTvNApbyajIPknHmkUmwYUKKYZcTfy/AOMtmpWwa
LcIqOvY18ZNpev2osHUXFDgioPgUpKe+PKT2Tuww8n7k0Jbxf5MQrjRRa9cHAuuN
UbrU+GQbCwPqA62ijytRsZGwmn9KO2ID2XI8TspAKIT2rx4UbC6dNdsEqxmtsxkh
1eGlnCghd/9otNCWw4Q+W6eO+1z7VM3Ic09c8Baxn1nJ7b/mDO6GZ/v+fN0qgL+p
QWgUJmezgaJAg4L3Lq3ATX44gszqUtTAuB5i7UmtAyKxTCmPtNvK6HMwMF8eVUc=
=weOE
-----END PGP SIGNATURE-----