Two new security updates for Debian GNU/Linux has been released
DSA-245-1 dhcp3 -- ignored counter boundary
DSA-244-1 noffle -- buffer overflows
DSA-245-1 dhcp3 -- ignored counter boundary
Florian Lohoff discovered a bug in the dhcrelay causing it to send a continuing packet storm towards the configured DHCP server(s) in case of a malicious BOOTP packet, such as sent from buggy Cisco switches.Read more
When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s).
This patch introduces a new command line switch -c maxcount and people are advised to start the dhcp-relay with dhcrelay -c 10 or a smaller number, which will only create that many packets.
DSA-244-1 noffle -- buffer overflows
