10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.076 Low
EPSS
Percentile
94.2%
The ISC DHCP dhclient application contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges.
As described in RFC 2131, “The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network.” ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client, and relay agent.
The ISC DHCP client code (dhclient) contains a stack buffer overflow in the script_write_params()
method. dhclient fails to check the length of the server-supplied subnet-mask option before copying it into a buffer. According to ISC, the following versions are affected:
DHCP 4.1 (all versions)
DHCP 4.0 (all versions)
DHCP 3.1 (all versions)
DHCP 3.0 (all versions)
DHCP 2.0 (all versions)
A rogue DHCP server may be able to execute arbitrary code with root privileges on a vulnerable client system.
Apply a patch or update from your vendor
For vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document.
Upgrade your version of DHCP
Upgrade your system as specified by your vendor. If you need to upgrade DHCP manually, according to ISC:
Upgrade to 4.1.0p1, 4.0.1p1, or 3.1.2p1
There are no fixes planned for DHCP 3.0 or DHCP 2.0, as those release trains have reached End-Of-Life.
410676
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 23, 2009 Updated: July 14, 2009
Statement Date: July 14, 2009
Affected
We have not received a statement from the vendor.
Gentoo: vulnerable, fixed in net-misc/dhcp-3.1.1-r1
Notified: June 23, 2009 Updated: July 15, 2009
Statement Date: July 15, 2009
Affected
IBM Internet Security Systems has identified some ISS products that are vulnerable to CVE-2009-0692. Critical Product Updates, Security Patches, and Content Updates were made available on July 14, 2009 to fix the ISC DHCP Client vulnerability that affects multiple IBM ISS products.
For more information about the vulnerability including IBM ISS Intrusion Prevention/Intrusion Detection coverage for the issue, see the ISC DHCP Client Buffer Overflow X-Force Protection Alert.
For more information about ISS product updates and patches including a list of affected products and versions, see ISS Knowledgebase Article 5563.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: July 15, 2009
Statement Date: July 15, 2009
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see NetBSD-SA2009-010.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23410676 Feedback>).
Notified: June 23, 2009 Updated: July 16, 2009
Statement Date: June 30, 2009
Affected
This issue affected the dhcp packages as shipped with Red Hat Enterprise Linux 3 and 4. Updated packages to correct this issue are available via Red Hat Network:
<https://rhn.redhat.com/errata/CVE-2009-0692.html>
This issue did not affect the dhcp packages as shipped with Red Hat Enterprise Linux 5 due to the use of FORTIFY_SOURCE protection mechanism that changes the exploitability of the issue into a controlled application termination.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: July 14, 2009
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see: <http://www.ubuntu.com/usn/usn-803-1>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23410676 Feedback>).
Notified: June 23, 2009 Updated: June 24, 2009
Statement Date: June 23, 2009
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Apple does not ship dhclient in Mac OS X.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23410676 Feedback>).
Notified: June 23, 2009 Updated: June 25, 2009
Statement Date: June 25, 2009
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: July 14, 2009
Statement Date: July 15, 2009
Not Affected
Force10 Networks products are not vulnerable to this threat.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: July 29, 2009
Not Affected
Infoblox is not vulnerable to this threat.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 24, 2009
Statement Date: June 24, 2009
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft’s DHCP implementation is not vulnerable.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23410676 Feedback>).
Notified: June 23, 2009 Updated: July 20, 2009
Statement Date: June 24, 2009
Not Affected
Peplink products do not make use of ISC dhcpc.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: July 07, 2009
Statement Date: July 07, 2009
Not Affected
QNX has investigated its DHCP client software and determined that both the QNX 4 and Neutrino Operating System DHCP client software is not vulnerable to the issue described in VU#410676.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: July 03, 2009
Statement Date: July 02, 2009
Not Affected
SafeNet has reviewed its products and determined that none are vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 25, 2009
Statement Date: June 25, 2009
Not Affected
We do not use the ISC DHCP client code and are therefore NOT VULNERABLE to any exploits in it.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 26, 2009
Statement Date: June 26, 2009
Not Affected
Solaris DHCP client implementation is not vulnerable to the issue mentioned in CVE-2009-0692
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 30, 2009
Statement Date: June 30, 2009
Not Affected
The SCO Operating System implementations of DHCP are based on ISC DHCP and are not affected by this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 29, 2009
Statement Date: June 29, 2009
Not Affected
VU#410676 is not applicable to Wind River VxWorks.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 26, 2009 Updated: June 26, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 25, 2009 Updated: June 24, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 24, 2009 Updated: June 24, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 24, 2009 Updated: June 24, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 25, 2009 Updated: June 25, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 29, 2009 Updated: June 29, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 23, 2009 Updated: June 23, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 95 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
<https://www.isc.org/node/468>
This vulnerability was reported by ISC, who in turn credit the Mandriva Linux Engineering Team with discovering and reporting the vulnerability.
This document was written by Will Dormann.
CVE IDs: | CVE-2009-0692 |
---|---|
Severity Metric: | 19.95 Date Public: |