Allele Security Alert
ASA-2019-00001
Identifier(s)
ASA-2019-00001, FreeBSD-SA-18:15.bootpd, CVE-2018-17161
Title
bootpd buffer overflow
Vendor(s)
The FreeBSD Project
Product(s)
FreeBSD
Affected version(s)
All supported versions of FreeBSD.
Fixed version(s)
stable/12, 12.0-STABLE
releng/12.0, 12.0-RELEASE-p1
stable/11, 11.2-STABLE
releng/11.2, 11.2-RELEASE-p7
Proof of concept
Unknown
Description
Due to insufficient validation of network-provided data it may be possible for a malicious attacker to craft a bootp packet which could cause a stack buffer overflow.
It is possible that the buffer overflow could lead to a Denial of Service or remote code execution.
Technical details
File: libexec/bootpd/bootpd.c --- 625 PRIVATE void 626 handle_request() 627 { 628 struct bootp *bp = (struct bootp *) pktbuf; 629 struct host *hp = NULL; 630 struct host dummyhost; 631 int32 bootsize = 0; 632 unsigned hlen, hashcode; 633 int32 dest; 634 char realpath[1024]; 635 char *clntpath; 636 char *homedir, *bootfile; 637 int n; ... 639 if (bp->bp_htype >= hwinfocnt) { 640 report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype); 641 return; 642 } ... 997 } ---
Credits
Reno Robert
Reference(s)
FreeBSD-SA-18:15.bootpd
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:15.bootpd.asc
[base] Revision 342228
https://svnweb.freebsd.org/base?view=revision&revision=r342228
bootpd remote vulnerability
https://marc.info/?l=bugtraq&m=91278867118128&w=2
CVE-2018-17161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17161
CVE-2018-17161
https://nvd.nist.gov/vuln/detail/CVE-2018-17161
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2019