[pkg-dhcp-devel] Bug#672232: Re isc-dhcp-client: method to ignore settings provided by the server
Christoph Anton Mitterer
calestyo at gmail.com
Sun Nov 29 19:42:03 UTC 2015
Control: severity -1 important
Control: tags -1 = security
Still cannot believe that this hasn't been dealt with after so many
As explained previously, dhclient doesn't seem to allow to disable
certain security relevant options from being received (and configured)
from the server.
For example, even when setting:
request subnet-mask, broadcast-address, time-offset, routers,
netbios-name-servers, netbios-scope, interface-mtu,
It would still take ntp servers, domain search path, etc. from the
server if that offers it.
These values however are quite security critical.
A rogue DHCP server may direct any client (e.g. a notebook connected to
any public network) to use a evil NTP server, which could ultimately
lead to a wrong system time being set, which in turn could lead to
expired certificates, software updates, etc. being used.
Similar, playing around with the domain search path could trick a
system into using/trusting/etc. the wrong names.
supersede isn't really of any help here since a) it doesn't seem to
properly work in all places, and b) one cannot use it do just "unset" a
server provided value (i.e. using the empty string or so doesn't work).
I just stumbled over this issue again, when we observed a successful
attack on two of our institutes notebooks.
Turned out in the end that their time/date must have been influenced
Michael, I've seen you've removed important, security and added
unreproducible without any further explanations... o.O
Adding these back, as the above examples clearly show that this can be
exploited,... further removing unreproducible as it was even confirmed
before by Felix and reproduction seems straight-forward.
More information about the pkg-dhcp-devel