[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OpenBSD & DHCP root exploit (fwd)



The DHCP exploit requires the DHCP server to be compromised. If your DHCP
server is running OpenBSD, then using DHCP in OpenBSD does not open up a
hole in your security. If your DHCP server is running something else, then
it is that OS's vulnerabilities that you should worry about.

-----Original Message-----
From: Luke Bakken [mailto:lbakken_(_at_)_ics-server_(_dot_)_interface-net_(_dot_)_com]
Sent: Friday, July 21, 2000 3:15 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: OpenBSD & DHCP root exploit (fwd)


Fellow OpenBSD users,

Do we care about this?

Or is this kind of thing none of our business?

The article I'm talking about is:
http://www.securityportal.com/topnews/weekly/bsd20000717.html

Thanks,
Luke

---------- Forwarded message ----------
Date: Fri, 21 Jul 2000 12:32:31 -0600
From: Kurt Seifried <seifried_(_at_)_securityportal_(_dot_)_com>
To: Luke Bakken <luke_bakken_(_at_)_yahoo_(_dot_)_com>
Subject: Re: OpenBSD & DHCP root exploit

> Re:
>
> "It has just occurred to me that there was a remote
> root hack in OpenBSD via the DHCP client, which is
> quite commonly installed by default. Does this mean
> OpenBSD's "Three years without a remote hole in the
> default install!" needs to be reset?"
>
> I would suspect not, for the same reason that the ftpd
> exploit does not require the "three year" claim to be
> reset. Even though ftpd is part of the default
> installation, it requires the administrator to turn it
> on and provide anonymous FTP access, neither of which
> are on in the default install. Likewise, DHCP requires
> the administrator to use it (during the installation
> process). Now, I recognize that this is a finer point,
> since one would have to be aware of the exploit during
> installation to avoid using the DHCP client, but the
> claim to a secure default install is still valid,
> since the decision to use DHCP, like anonymous FTP, is
> still the administrator's (and the scenario of a
> 'pure' default installation is one in which the most
> basic setup is used: a static IP address). I would
> hope responsible admins read their respective OS's
> errata before installing the product and making it
> publicly available.

I think that's a load of bollocks. There's no other way to put it. During
install I am given a choice of dhcp or static, and (like most admins) I use
dhcp to manage my workstations I think claiming that using dhcp is not a
default, hence OpenBSD has no holes is a load of manure. But that's just me.
I can see this attitude being semi-valid on the xlock password issue, but on
this one, nuh-uh.

> I'm sure you've already received email on this
> subject, but thank you for your time,
> Luke Bakken
> OpenBSD admin.

-Kurt





Visit your host, monkey.org