Date: Wed, 06 Apr 2011 19:09:55 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, Jiri Popelka <jpopelka@...hat.com> Subject: CVE Request -- dhcp: DoS (excessive CPU use) by opening an OMAPI connection Hello Josh, Steve, vendors, A security flaw was found in the way DHCP (Dynamic Host Configuration Protocol) server processed remote connections when the dhcpd was configured to provide Object Management API (OMAPI) capability. A remote attacker could use this flaw to cause denial of service (excessive CPU use and dhcpd daemon unreachability). References:  https://bugzilla.novell.com/show_bug.cgi?id=680298  https://lists.isc.org/pipermail/dhcp-users/2011-February/012780.html  https://lists.isc.org/pipermail/dhcp-users/2011-February/012781.html  https://bugzilla.redhat.com/show_bug.cgi?id=666441  http://www.mentby.com/Group/dhcp-users/omapi-not-working-in-420.html Note: Though looks as minor / low severity issue, under proper configuration looks to be a way, how to get dhcpd completely unresponsive for further requests. Could you allocate a CVE id for this? (though opened for discussion if this being more to be a bug, than a real security issue). Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.