[NTLUG:Discuss] DHCP Vulnerability?

Cameron, Thomas Thomas.Cameron at bankofamerica.com
Fri Aug 13 16:11:15 CDT 2004 

> -----Original Message-----
> From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org]On
> Behalf Of Jim Goode
> Sent: Friday, August 13, 2004 2:55 PM
> To: discuss at ntlug.org
> Subject: [NTLUG:Discuss] DHCP Vulnerability?
> 
> 
> I am running an e-Smith/Mitel SME server with DHCP enabled. 
> The server 
> supports desktops that are running MS Windows 2000 Professional.
> 
> Earlier today (and several times over the past 2 months) I lost 
> connectivity to the server from my desktop. This time I 
> discovered that 
> the IP assigned to my desktop was not in the DHCP range I had 
> specified 
> on the server. I spot checked a couple of other desktops and they had 
> the same problem. The 1st and 2nd octet that had been 
> assigned remained 
> constant (169.254.) but the 3rd and 4th were quite different 
> (113.233, 
> 133.162, and 233.134). I use 192.168 for my internal LAN.

The 169.254.x.x range is part of APIPA (Automatic Private Internet Protocol Addressing):  http://www.google.com/search?hl=en&ie=UTF-8&q=apipa&btnG=Google+Search.  It means that your desktop never got a response from your DHCP server so it magicked up an IP address from that range (after checking that noone else was using it).

> After researching some web sites, I see that US-CERT reported a DHCP 
> vulnerability on June 22, 2004 (VU# 317350 and 654390).
> 
> 1) Could my problem be related to one of these vulnerabilities?

Probably not.  Is dhcpd running on the server?  Any funky messages in /var/log/messages?

> 2) Could my server have a virus?

Highly doubtful.  There are very few Linux viruses.  If it were anything, I would think that you might have been broken into.  Is the server directly accessible from the Internet?

> 3) If yes, how can I find and remove the virus?

http://www.mcafeesecurity.com/us/downloads/evals/ - look for "McAfee VirusScan Command Line Scanner for Linux."

> 4) Is there a patch for the DHCP problem? The SME server is 
> based on Red 
> Hat 7.2 under the covers and RH no longer supports this release.

Might not be a bad idea to go to http://www.isc.org/ and grab the latest version (ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1.tar.gz as of right now).  Remove your old version of dhcp (rpm -e dhcpd) and then install the downloaded version.

Alternatively, you can grab a source RPM from one of the newer Red Hat distros at http://rpmfind.net/linux/rpm2html/search.php?query=dhcp&submit=Search+...&system=&arch= and rebuild it for your server.  Use either rpmbuild --rebuild [source rpm] or rpm --rebuild [source rpm].  I don't have an old RH 7.2 box laying around to test so please report back your results.

> Thank you for your time and response,
> Jim

-- 
Thomas Cameron, RHCE, CNE, MCSE, MCT
Assistant Vice President
Linux Design and Engineering
Bank of America
(972) 997-9641

The opinions expressed in this message do not necessarily reflect those of my employer, Bank of America.

More information about the Discuss mailing list