CERT Warns Of New Security FlawCERT Warns Of New Security Flaw

The CERT Coordination Center is warning of a potentially serious security vulnerability that affects Dynamic Host Configuration Protocol Daemon (DHCPD) servers. The vulnerability could let a remote hacker run code on servers.

The DHCPD, used to allocate network addresses and assign configuration parameters to hosts, is provided by the Internet Software Consortium. The vulnerability, announced late Wednesday, is in the way the DHCP server processes an acknowledgement response sent by DNS servers. More information can be found in CERT Advisory CA-2002-12.

The CERT Advisory warns that some of the mitigation steps it recommends "may have significant impact on your normal network operations." CERT advises users to apply vendor patches, if available.

Systems potentially vulnerable include ISC DHCPD 3.0to 3.0.1rc8. Networking vendors Alcatel and Conectiva say they'll provide fixes for affected systems. F5 Networks, IBM, Lotus Development, Microsoft, NetBSD, and Silicon Graphics aren't affected, CERT says.