ISC DHCPD NSUPDATE MiniRes Library Remote Buffer Overflow Vulnerabilities



Date Discovered

January 15, 2003


Multiple buffer overflow vulnerabilities have been reported for the ISC DHCPD service. The vulnerability occurs when the DHCP server is configured to dynamically update records. The vulnerability exists in the library used by NSUPDATE to resolve hostnames. An attacker can exploit these vulnerabilities by sending a malformed DHCP message containing an overly large hostname value. This will trigger the buffer overflow condition and any embedded attacker-supplied code may be executed.

Technologies Affected

  • ISC DHCPD 3.0.0
  • ISC DHCPD 3.0.0 b2pl23
  • ISC DHCPD 3.0.0 b2pl9
  • ISC DHCPD 3.0.0 pl1
  • ISC DHCPD 3.0.0 rc12
  • ISC DHCPD 3.0.0 rc4
  • ISC DHCPD 3.0.1 rc1
  • ISC DHCPD 3.0.1 rc10
  • ISC DHCPD 3.0.1 rc2
  • ISC DHCPD 3.0.1 rc3
  • ISC DHCPD 3.0.1 rc4
  • ISC DHCPD 3.0.1 rc5
  • ISC DHCPD 3.0.1 rc6
  • ISC DHCPD 3.0.1 rc7
  • ISC DHCPD 3.0.1 rc8
  • ISC DHCPD 3.0.1 rc9


Disable all unnecessary services.
If not explicitly needed, it is best to disable the DHCP service.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Use a firewall to filter traffic to TCP/UDP ports 67 and 68.

Run all software as a nonprivileged user with minimal access rights.
Run the DHCP server with the minimum privileges necessary for functionality. This will greatly reduce the consequences of successful exploitation.

Limit access to sensitive Ethernet segments.
Physical security should be in place to limit unauthorized individuals from gaining access to sensitive ethernet segments.

Implement multiple redundant layers of security.
Use of measures such as StackGuard and non-executable stack configurations may help to limit exploitability of this and other latent stack-based buffer overflow vulnerabilities.

Modify default configuration files to disable any unwanted behavior.
Modify the ISC DHCPD configuration files to disable dynamic DNS updates. This will effectively prevent exploitation of this vulnerability.

SuSE reportedly ships with vulnerable packages. An advisory and fixes are forthcoming. BSD/OS is prone to this issue. The vulnerability is addressed by the M431-001 and M500-004 patches for the 4.3.1 and 5.0 versions of BSD/OS. Users should contact the vendor for further information about obtaining and applying fixes. OpenPKG has released an advisory containing updated dhcpd packages which address this issue. OpenPKG CURRENT is addressed by the dhcpd-3.0.1rc11-20030116 package, OpenPKG 1.1 is addressed by the dhcpd-3.0.1rc9-1.1.1 package and OpenPKG 1.0 is addressed by the dhcpd-3.0.1rc4-1.0.1 package. Gentoo Linux has released an advisory. Users who have installed net-misc/dhcp are advised to upgrade their systems to dhcp-3.0_p2 by issuing the following commands: emerge sync emerge -u dhcp emerge clean Debian has made fixes available. See referenced advisory DSA 231-1 for additional details. SuSE has released an advisory. Information about obtaining and applying fixes for SuSE Linux are available in the referenced advisory. The FreeBSD ports collection contains the vulnerable software. Users are advised to update the port to version 3.0.1.r11 if it has been installed. The following fixes are available:



These issues were reported by ISC.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.