[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: OpenBSD & DHCP root exploit (fwd)
- To: lbakken_(_at_)_ics-server_(_dot_)_interface-net_(_dot_)_com, misc_(_at_)_openbsd_(_dot_)_org
- Subject: RE: OpenBSD & DHCP root exploit (fwd)
- From: lee_(_dot_)_wendel_(_at_)_gecits_(_dot_)_ge_(_dot_)_com
- Date: Fri, 21 Jul 2000 15:22:31 -0400
The DHCP exploit requires the DHCP server to be compromised. If your DHCP
server is running OpenBSD, then using DHCP in OpenBSD does not open up a
hole in your security. If your DHCP server is running something else, then
it is that OS's vulnerabilities that you should worry about.
From: Luke Bakken [mailto:lbakken_(_at_)_ics-server_(_dot_)_interface-net_(_dot_)_com]
Sent: Friday, July 21, 2000 3:15 PM
Subject: Re: OpenBSD & DHCP root exploit (fwd)
Fellow OpenBSD users,
Do we care about this?
Or is this kind of thing none of our business?
The article I'm talking about is:
---------- Forwarded message ----------
Date: Fri, 21 Jul 2000 12:32:31 -0600
From: Kurt Seifried <seifried_(_at_)_securityportal_(_dot_)_com>
To: Luke Bakken <luke_bakken_(_at_)_yahoo_(_dot_)_com>
Subject: Re: OpenBSD & DHCP root exploit
> "It has just occurred to me that there was a remote
> root hack in OpenBSD via the DHCP client, which is
> quite commonly installed by default. Does this mean
> OpenBSD's "Three years without a remote hole in the
> default install!" needs to be reset?"
> I would suspect not, for the same reason that the ftpd
> exploit does not require the "three year" claim to be
> reset. Even though ftpd is part of the default
> installation, it requires the administrator to turn it
> on and provide anonymous FTP access, neither of which
> are on in the default install. Likewise, DHCP requires
> the administrator to use it (during the installation
> process). Now, I recognize that this is a finer point,
> since one would have to be aware of the exploit during
> installation to avoid using the DHCP client, but the
> claim to a secure default install is still valid,
> since the decision to use DHCP, like anonymous FTP, is
> still the administrator's (and the scenario of a
> 'pure' default installation is one in which the most
> basic setup is used: a static IP address). I would
> hope responsible admins read their respective OS's
> errata before installing the product and making it
> publicly available.
I think that's a load of bollocks. There's no other way to put it. During
install I am given a choice of dhcp or static, and (like most admins) I use
dhcp to manage my workstations I think claiming that using dhcp is not a
default, hence OpenBSD has no holes is a load of manure. But that's just me.
I can see this attitude being semi-valid on the xlock password issue, but on
this one, nuh-uh.
> I'm sure you've already received email on this
> subject, but thank you for your time,
> Luke Bakken
> OpenBSD admin.