[pkg-dhcp-devel] Bug#844584: dhclient should perform additional validity checks
Anton Ivanov
anton.ivanov at kot-begemot.co.uk
Thu Nov 17 08:10:34 UTC 2016
Package: isc-dhcp-client
Version: 4.3.1-6+deb8u2
Severity: serious
File: /sbin/dhclient
Tags: security
https://samy.pl/poisontap/
This is a variation on an ancient "gem" by a DSL Modem vendor
where the router pretends to be the entire internet by spoofing
arp so that it captures all traffic.
The best way to deal with this is to set an upper limit on the
size of acceptable netmask in /etc/default/isc-dhcp-client and
verify it in a hook (which can be debian specific).
This way dhcp reply of 0.0.0.0/0 or anything larger than a class
A will raise a security alert instead of blindly exposing the
machine to a spoofing attack.
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages isc-dhcp-client depends on:
ii debianutils 4.4+b1
ii iproute2 3.16.0-2
ii isc-dhcp-common 4.3.1-6+deb8u2
ii libc6 2.19-18+deb8u6
ii libdns-export100 1:9.9.5.dfsg-9+deb8u7
ii libirs-export91 1:9.9.5.dfsg-9+deb8u7
ii libisc-export95 1:9.9.5.dfsg-9+deb8u7
isc-dhcp-client recommends no packages.
Versions of packages isc-dhcp-client suggests:
pn avahi-autoipd <none>
pn resolvconf <none>
-- no debconf information
More information about the pkg-dhcp-devel
mailing list