USN-1108-1: DHCP vulnerability

11 April 2011

dhcp3 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.10
  • Ubuntu 10.04 LTS
  • Ubuntu 9.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Summary

An attacker’s DHCP server could send crafted responses to your computer and cause it to run programs as root.

Software Description

  • dhcp3 - DHCP client transitional package

Details

Sebastian Krahmer discovered that the dhclient utility incorrectly filtered crafted responses. An attacker could use this flaw with a malicious DHCP server to execute arbitrary code, resulting in root privilege escalation.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.10
dhcp3-client - 3.1.3-2ubuntu6.1
Ubuntu 10.04 LTS
dhcp3-client - 3.1.3-2ubuntu3.1
Ubuntu 9.10
dhcp3-client - 3.1.2-1ubuntu7.2
Ubuntu 8.04 LTS
dhcp3-client - 3.0.6.dfsg-1ubuntu9.2
Ubuntu 6.06 LTS
dhcp3-client - 3.0.3-6ubuntu7.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References