Description
Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.
Exploits (1)
References (27)
Core 27
Core References
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27338
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27350
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3088
Patch x_refsource_confirm
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.c
Issue Tracking x_refsource_confirm
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446354
Patch vendor-advisory
x_refsource_openbsd
http://www.openbsd.org/errata42.html#001_dhcpd
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/25984
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/4601
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/483230/100/100/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/37045
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0970.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2007/dsa-1388
Various Sources x_refsource_misc
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1962
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-531-1
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5817
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-531-2
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27160
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/482085/100/100/threaded
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27273
Patch vendor-advisory
x_refsource_openbsd
http://www.openbsd.org/errata40.html#016_dhcpd
Vendor Advisory vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-243806-1
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/32668
Patch vendor-advisory
x_refsource_openbsd
http://www.openbsd.org/errata41.html#010_dhcpd
Vendor Advisory x_refsource_confirm
http://sunsolve.sun.com/search/document.do?assetkey=1-21-109077-21-1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1018794
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1021157
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/32213
Scores
EPSS
0.4351
EPSS Percentile
97.5%
Details
CWE
CWE-119
Status
published
Products (28)
debian/debian_linux
3.1
debian/debian_linux
4.0
openbsd/openbsd
4.0
openbsd/openbsd
4.1
openbsd/openbsd
4.2
redhat/enterprise_linux
2.1 (2 CPE variants)
redhat/linux_advanced_workstation
2.1
sun/opensolaris
snv_01 (2 CPE variants)
sun/opensolaris
snv_02 (2 CPE variants)
sun/opensolaris
snv_03 (2 CPE variants)
... and 18 more
Published
Oct 11, 2007
Tracked Since
Feb 18, 2026