[pkg-dhcp-devel] Bug#844584: dhclient should perform additional validity checks

Anton Ivanov anton.ivanov at kot-begemot.co.uk
Thu Nov 17 08:10:34 UTC 2016

Package: isc-dhcp-client
Version: 4.3.1-6+deb8u2
Severity: serious
File: /sbin/dhclient
Tags: security


This is a variation on an ancient "gem" by a DSL Modem vendor
where the router pretends to be the entire internet by spoofing
arp so that it captures all traffic.

The best way to deal with this is to set an upper limit on the
size of acceptable netmask in /etc/default/isc-dhcp-client and
verify it in a hook (which can be debian specific).

This way dhcp reply of or anything larger than a class 
A will raise a security alert instead of blindly exposing the
machine to a spoofing attack.

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages isc-dhcp-client depends on:
ii  debianutils       4.4+b1
ii  iproute2          3.16.0-2
ii  isc-dhcp-common   4.3.1-6+deb8u2
ii  libc6             2.19-18+deb8u6
ii  libdns-export100  1:9.9.5.dfsg-9+deb8u7
ii  libirs-export91   1:9.9.5.dfsg-9+deb8u7
ii  libisc-export95   1:9.9.5.dfsg-9+deb8u7

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
pn  avahi-autoipd  <none>
pn  resolvconf     <none>

-- no debconf information

More information about the pkg-dhcp-devel mailing list