CERT warns of DHCP vulnerabilities
Several potentially serious security flaws exist in the Internet Software Consortium's (ISC) DHCP (Dynamic Host Configuration Protocol) software, which is shipped as part of several operating systems, the CERT Coordination Center (CERT/CC) warned Thursday.
In an internal audit, ISC discovered multiple buffer overflow flaws in versions 3.0 through 3.0.1RC10 of its DHCP product, according to a CERT advisory.
The flaws lie in a feature of ISC's DHCP product that allows the DHCP server to automatically update a DNS (Domain Name System) server. An attacker could take over an affected system by sending a DHCP message containing a large hostname, according to CERT.
The ISC DHCP software ships as part of products from Red Hat Inc. and SuSE Linux AG; the vulnerability status of many other vendors is still unknown, CERT said. Red Hat already has a patch available; SuSE is working on a software update, according to CERT.
DHCP software is used to automatically assign users IP (Internet Protocol) addresses when they sign on to a network. Typically a DHCP server is not accessible externally, limiting the threat of attacks.
ISC, which also provides the widely used BIND (Berkeley Internet Name Domain) DNS software, has released an update fixing the DHCP flaws. CERT maintains a list of vendors whose software could contain the ISC software and may also be vulnerable.
The CERT advisory is at: http://www.cert.org/advisories/CA-2003-01.html.
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
