CVE-2007-5365
published 2007-10-11CVE-2007-5365: Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC…
PriorityP267high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
80.27%
99.6th percentile
Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.
Affected
116 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| redhat | enterprise_linux | — | — |
| redhat | linux_advanced_workstation | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: attacker sends a DHCP request specifying a maximum message size smaller than the minimum IP MTU, causing a stack-based buffer overflow in cons_options() in options.c of dhcpd. ↗
- →Vulnerable function is cons_options in options.c within dhcpd; monitor for abnormal DHCP option handling or crashes in this function. ↗
- →Attack vector is network-based via malicious DHCP packets/replies; inspect DHCP traffic for anomalously small maximum message size values (below minimum IP MTU of 576 bytes). ↗
- ·Affected platforms include OpenBSD 4.0 through 4.2 and other dhcpd implementations based on ISC dhcp-2; scope is limited to these legacy versions. ↗
- ·USN-531-1 patches were incomplete and only reduced the scope of the vulnerability without fully solving it; USN-531-2 is required for a complete fix. ↗
- ·CVE-2007-5365 is considered the same issue as CVE-2007-0063 (VMware DHCP integer underflow); both were addressed by RHSA-2007-0970. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
dhcp vulnerability
vendor_ubuntu·2007-10-23
CVE-2007-5365 dhcp vulnerability
Title: dhcp vulnerability
Summary: dhcp vulnerability
USN-531-1 fixed vulnerabilities in dhcp. The fixes were incomplete,
and only reduced the scope of the vulnerability, without fully solving
it. This update fixes the problem.
Original advisory details:
Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not
correctly handle certain client options. A remote attacker could send
malicious DHCP replies to the server and execute arbitrary code.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Ubuntu
dhcp vulnerability
vendor_ubuntu·2007-10-22
CVE-2007-5365 dhcp vulnerability
Title: dhcp vulnerability
Summary: dhcp vulnerability
Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not
correctly handle certain client options. A remote attacker could send
malicious DHCP replies to the server and execute arbitrary code.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
dhcpd stack-based buffer overlow
vendor_redhat·2007-10-08·CVSS 7.2
CVE-2007-5365 [HIGH] dhcpd stack-based buffer overlow
dhcpd stack-based buffer overlow
Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.
Red Hat
security flaw
vendor_redhat·2007-10-08·CVSS 10.0
CVE-2007-0063 [CRITICAL] security flaw
security flaw
Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.
Statement: This issue is the same as CVE-2007-5365. The affected dhcp versions were fixed via: https://rhn.redhat.com/errata/RHSA-2007-0970.html
GHSA
GHSA-q79j-j4r9-8grp: Stack-based buffer overflow in the cons_options function in options
ghsa_unreviewed·2022-05-01
CVE-2007-5365 [HIGH] CWE-119 GHSA-q79j-j4r9-8grp: Stack-based buffer overflow in the cons_options function in options
Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.
No detection rules found.
Bugzilla
CVE-2007-0063 security flaw
bugzilla·2018-08-16·CVSS 10.0
CVE-2007-0063 [CRITICAL] CVE-2007-0063 security flaw
CVE-2007-0063 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.
---
Statement:
This issue is the same as CVE-2007-5365. The affected dhcp versions were fixed via: https://rhn.redhat.com/errata/RHSA-2007-0970.html
Bugzilla
CVE-2007-5365 dhcpd stack-based buffer overlow
bugzilla·2007-10-11·CVSS 10.0
CVE-2007-5365 [CRITICAL] CVE-2007-5365 dhcpd stack-based buffer overlow
CVE-2007-5365 dhcpd stack-based buffer overlow
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5365 to the following vulnerability:
Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2 allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.
References:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1962
http://www.openbsd.org/errata42.html#001_dhcpd
http://secunia.com/advisories/27160
http://www.securityfocus.com/bid/25984
Discussion:
OpenBSD's dhcpd is based on ISC dhcpd 2.x. We ship dhcpd 2.0pl5 in Red Hat
Enterprise Linux 2.1, which seems to be affected by this
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446354http://secunia.com/advisories/27160http://secunia.com/advisories/27273http://secunia.com/advisories/27338http://secunia.com/advisories/27350http://secunia.com/advisories/32668http://securitytracker.com/id?1021157http://sunsolve.sun.com/search/document.do?assetkey=1-21-109077-21-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-243806-1http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1962http://www.debian.org/security/2007/dsa-1388http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.chttp://www.openbsd.org/errata40.html#016_dhcpdhttp://www.openbsd.org/errata41.html#010_dhcpdhttp://www.openbsd.org/errata42.html#001_dhcpdhttp://www.redhat.com/support/errata/RHSA-2007-0970.htmlhttp://www.securityfocus.com/archive/1/482085/100/100/threadedhttp://www.securityfocus.com/archive/1/483230/100/100/threadedhttp://www.securityfocus.com/bid/25984http://www.securityfocus.com/bid/32213http://www.securitytracker.com/id?1018794http://www.ubuntu.com/usn/usn-531-1http://www.ubuntu.com/usn/usn-531-2http://www.vupen.com/english/advisories/2008/3088https://exchange.xforce.ibmcloud.com/vulnerabilities/37045https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5817https://www.exploit-db.com/exploits/4601http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446354http://secunia.com/advisories/27160http://secunia.com/advisories/27273http://secunia.com/advisories/27338http://secunia.com/advisories/27350http://secunia.com/advisories/32668http://securitytracker.com/id?1021157http://sunsolve.sun.com/search/document.do?assetkey=1-21-109077-21-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-243806-1http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1962http://www.debian.org/security/2007/dsa-1388http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.chttp://www.openbsd.org/errata40.html#016_dhcpdhttp://www.openbsd.org/errata41.html#010_dhcpdhttp://www.openbsd.org/errata42.html#001_dhcpdhttp://www.redhat.com/support/errata/RHSA-2007-0970.htmlhttp://www.securityfocus.com/archive/1/482085/100/100/threadedhttp://www.securityfocus.com/archive/1/483230/100/100/threadedhttp://www.securityfocus.com/bid/25984http://www.securityfocus.com/bid/32213http://www.securitytracker.com/id?1018794http://www.ubuntu.com/usn/usn-531-1http://www.ubuntu.com/usn/usn-531-2http://www.vupen.com/english/advisories/2008/3088https://exchange.xforce.ibmcloud.com/vulnerabilities/37045https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5817https://www.exploit-db.com/exploits/4601
2007-10-11
Published