cbcvebase.
CVE-2007-5365
published 2007-10-11

CVE-2007-5365: Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC…

PriorityP267high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
80.27%
99.6th percentile
Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.

Affected

116 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
openbsdopenbsd
openbsdopenbsd
openbsdopenbsd
redhatenterprise_linux
redhatlinux_advanced_workstation
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/4601.tgz
  • Trigger condition: attacker sends a DHCP request specifying a maximum message size smaller than the minimum IP MTU, causing a stack-based buffer overflow in cons_options() in options.c of dhcpd.
  • Vulnerable function is cons_options in options.c within dhcpd; monitor for abnormal DHCP option handling or crashes in this function.
  • Attack vector is network-based via malicious DHCP packets/replies; inspect DHCP traffic for anomalously small maximum message size values (below minimum IP MTU of 576 bytes).
  • ·Affected platforms include OpenBSD 4.0 through 4.2 and other dhcpd implementations based on ISC dhcp-2; scope is limited to these legacy versions.
  • ·USN-531-1 patches were incomplete and only reduced the scope of the vulnerability without fully solving it; USN-531-2 is required for a complete fix.
  • ·CVE-2007-5365 is considered the same issue as CVE-2007-0063 (VMware DHCP integer underflow); both were addressed by RHSA-2007-0970.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.