[pkg-dhcp-devel] Bug#844584: dhclient should perform additional validity checks
Ivo De Decker
ivodd at debian.org
Tue Mar 21 19:25:16 UTC 2017
Control: severity -1 important
Hi,
On Thu, Nov 17, 2016 at 08:10:34AM +0000, Anton Ivanov wrote:
> https://samy.pl/poisontap/
>
> This is a variation on an ancient "gem" by a DSL Modem vendor
> where the router pretends to be the entire internet by spoofing
> arp so that it captures all traffic.
>
> The best way to deal with this is to set an upper limit on the
> size of acceptable netmask in /etc/default/isc-dhcp-client and
> verify it in a hook (which can be debian specific).
>
> This way dhcp reply of 0.0.0.0/0 or anything larger than a class
> A will raise a security alert instead of blindly exposing the
> machine to a spoofing attack.
When an attacker can attach devices to your machine, there are lots of
possible ways they can mess with it. Filtering certain dhcp replies will not
change this that much (they could remove the network cable, if there is a
switch to disable wifi they could use that, etc), so I'm lowering the severity
of this bug.
Cheers,
Ivo
More information about the pkg-dhcp-devel
mailing list