-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-005 ================================= Topic: ISC dhclient does not strip shell meta-characters in environment variables passed to scripts. Version: NetBSD-current: affected NetBSD 5.1: affected NetBSD 5.0: affected NetBSD 4.0.*: affected NetBSD 4.0: affected pkgsrc: isc-dhclient4 package prior to 4.2.1-P1 Severity: Arbitrary Script Execution Fixed: NetBSD-current: April 6th, 2011 NetBSD-5-0 branch: April 7th, 2011 NetBSD-5 branch: April 7th, 2011 NetBSD-4-0 branch: April 7th, 2011 NetBSD-4 branch: April 7th, 2011 pkgsrc 2011Q1: April 11th, 2011 Abstract ======== dhclient doesn't strip or escape certain shell meta-characters in dhcpd responses, allowing a rogue server or party with with escalated privileges on the server to cause remote code execution on the client. This vulnerability has been assigned CVE-2011-0997 and CERT Vulnerability Note VU#107886. Technical Details ================= ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. This may result in execution of exploit code on the client. For more details, please see CVE-2011-0997. Solutions and Workarounds ========================= dhclient(1) exports many variables to the environment, some of which are strings provided by the dhcp server and were not being sanity checked for shell metacharacters. Although in the current implementation of /sbin/dhclient-script "eval" is only used in ifconfig(8) commands with arguments from the environment that cannot be set to strings by the dhcp server ($interface, $medium are set by the client; $new_ip_address, $new_netmask_arg, $new_broadcast_arg, $alias_ip_address, $old_ip_address are IP addresses), one should either patch dhclient to sanitize all variables or add the following line to /sbin/dhclient-script at the beginning of the set_hostname() function: new_host_name="$(echo "${new_host_name}" | sed -e 's/[^a-zA-Z0-9-]*//g')" The reason to do this, is that unless the hostname is sanitized, a hostname with shell metacharacters can be set on the system, and other scripts might break that use the compromised hostname. In environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients from rogue dhcp servers deliberately trying to exploit this bug. However, this will not protect from compromised servers. Further workarounds: disable dhclient(8) from the base OS and use the fixed isc-dhclient4 package from pkgsrc. The following instructions describe how to upgrade your dhclient binaries by updating your source tree and rebuilding and installing a new version of dhclient. CVS branch file revision ------------- ---------------- -------- HEAD src/dist/dhcp/client/dhclient.c 1.21 netbsd-5-0 src/dist/dhcp/client/dhclient.c 1.19.12.2 netbsd-5-1 src/dist/dhcp/client/dhclient.c 1.19.8.1.2.1 netbsd-5 src/dist/dhcp/client/dhclient.c 1.19.8.2 netbsd-4-0 src/dist/dhcp/client/dhclient.c 1.18.12.2 netbsd-4 src/dist/dhcp/client/dhclient.c 1.18.2.2 The following instructions briefly summarize how to update and recompile dhclient. In these instructions, replace: VERSION with the fixed version from the appropriate CVS branch (from the above table) FILE with the name of the file from the above table To update from CVS, re-build, and re-install dhclient: # cd src # cvs update -d -P -r VERSION FILE # cd usr.sbin/dhcp # make USETOOLS=no cleandir dependall # cd client # make USETOOLS=no install Thanks To ========= Sebastian Krahmer and Marius Tomaschewski, SuSE Security Team, for discovering and reporting the software flaw. Revision History ================ 2011-04-26 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-005.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-005.txt,v 1.2 2011/04/26 16:56:52 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJNtvleAAoJEAZJc6xMSnBuqUkP/iuLylj+A2uZYvvLGPiGrnNa dnNyT4dcx54Hc1Uq3Mq8rtPwNJd+zf5eEH1PRxjFUstR3wn8/KORIZ+ZZPY/ftMJ /yLhubzjDuimkS+kyIxLLkQXXmgaLHjj7FvX5BceDghWksFsX/A/HzMDHBHaxZ8t nUXzbAdkqBXXmu9bzd+N4TJbQadk8qAHmg9WuJFmGzbxP4Qu46wl06eMKGW8LU8n Ert/UN+MSV+ELOgNQWHf7GeRMjDi1bd/PZK90rbpMyNkTRvHcIIl1Zp0Bo0WDLAH uNmW9G0PnoRrpf9YalBObs1R2jQV+1s2cWiZGyvUk+SJrhtDdYtljU71uCCA7xE5 vhIZjcMrGyuNhBVjR2v8ifcl6f57M3LyIaXsvFKRT04Exe6S6yjNIDWR3SKmweAx 3Up3nqjlIx1cBaVZP7RGFUw6W+tPHFx0xez+HclXVvWw0fOo12Lz1iacg6REDXP1 2LjGpEcyOjMceUf1A8WX8bLmkP4d/FUv/P+TLmEEBThXsEBw/CU+SJcKkUzIjwPI CXe7GXj5NwrEjOpGskglSi13y3q7e///aql/B9bczKjok5kkOvzK6q/1qCBnsdHc JwCD2HlCFzAc2NDRdkxkAtSP4nsw7rly33C3NiY14JKDXiGBWDAkyVCOisM/IL/R 4Ir8/fBQMfJSHl9xuULA =7pTA -----END PGP SIGNATURE-----