[pkg-dhcp-devel] Bug#672232: Re isc-dhcp-client: method to ignore settings provided by the server

[Christoph Anton Mitterer]

Control: severity -1 important
Control: tags -1 = security

Hey.

Still cannot believe that this hasn't been dealt with after so many
years... o.O

As explained previously, dhclient doesn't seem to allow to disable
certain security relevant options from being received (and configured)
from the server.

For example, even when setting:
request subnet-mask, broadcast-address, time-offset, routers,
        domain-name-servers,
        dhcp6.name-servers, dhcp6.fqdn,
        netbios-name-servers, netbios-scope, interface-mtu,
        rfc3442-classless-static-routes;

It would still take ntp servers, domain search path, etc. from the
server if that offers it.

These values however are quite security critical.
A rogue DHCP server may direct any client (e.g. a notebook connected to
any public network) to use a evil NTP server, which could ultimately
lead to a wrong system time being set, which in turn could lead to
expired certificates, software updates, etc. being used.

Similar, playing around with the domain search path could trick a
system into using/trusting/etc. the wrong names.

supersede isn't really of any help here since a) it doesn't seem to
properly work in all places, and b) one cannot use it do just "unset" a
server provided value (i.e. using the empty string or so doesn't work).


I just stumbled over this issue again, when we observed a successful
attack on two of our institutes notebooks.
Turned out in the end that their time/date must have been influenced
maliciously...


Michael, I've seen you've removed important, security and added
unreproducible without any further explanations... o.O

Adding these back, as the above examples clearly show that this can be
exploited,... further removing unreproducible as it was even confirmed
before by Felix and reproduction seems straight-forward.

Cheers,
Chris.