CVE-2011-0997

Name of the Vulnerable Software and Affected Versions ISC DHCP versions 3.0.x through 4.2.x before 4.2.1-P1 ISC DHCP 3.1-ESV before 3.1-ESV-R1 ISC DHCP 4.1-ESV before 4.1-ESV-R2 dhcp before version 4.2.4 p2

Description The issue allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. This can be demonstrated by a hostname that is provided to dhclient-script. Multiple vulnerabilities in the dhcp package can lead to disruption of protected information and can be exploited remotely.

Recommendations For ISC DHCP versions 3.0.x through 4.2.x before 4.2.1-P1, update to version 4.2.1-P1 or later. For ISC DHCP 3.1-ESV before 3.1-ESV-R1, update to version 3.1-ESV-R1 or later. For ISC DHCP 4.1-ESV before 4.1-ESV-R2, update to version 4.1-ESV-R2 or later. For dhcp before version 4.2.4 p2, update to version 4.2.4 p2 or later. As a temporary workaround, consider restricting the use of the dhclient-script until a patch is available. Avoid using hostnames that may contain shell metacharacters in the affected DHCP message.