Debian Local Security Checks : Debian: Security Advisory (DSA-4133-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.704133

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DSA-4133-1)

Summary: The remote host is missing an update for the Debian 'isc-dhcp' package(s) announced via the DSA-4133-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'isc-dhcp' package(s) announced via the DSA-4133-1 advisory.

Vulnerability Insight:
Several vulnerabilities have been discovered in the ISC DHCP client, relay and server. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2017-3144

It was discovered that the DHCP server does not properly clean up closed OMAPI connections, which can lead to exhaustion of the pool of socket descriptors available to the DHCP server, resulting in denial of service.

CVE-2018-5732

Felix Wilhelm of the Google Security Team discovered that the DHCP client is prone to an out-of-bound memory access vulnerability when processing specially constructed DHCP options responses, resulting in potential execution of arbitrary code by a malicious DHCP server.

CVE-2018-5733

Felix Wilhelm of the Google Security Team discovered that the DHCP server does not properly handle reference counting when processing client requests. A malicious client can take advantage of this flaw to cause a denial of service (dhcpd crash) by sending large amounts of traffic.

For the oldstable distribution (jessie), these problems have been fixed in version 4.3.1-6+deb8u3.

For the stable distribution (stretch), these problems have been fixed in version 4.3.5-3+deb9u1.

We recommend that you upgrade your isc-dhcp packages.

For the detailed security status of isc-dhcp please refer to its security tracker page at: [link moved to references]

Affected Software/OS:
'isc-dhcp' package(s) on Debian 8, Debian 9.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2017-3144
BugTraq ID: 102726
http://www.securityfocus.com/bid/102726
Debian Security Information: DSA-4133 (Google Search)
https://www.debian.org/security/2018/dsa-4133
RedHat Security Advisories: RHSA-2018:0158
https://access.redhat.com/errata/RHSA-2018:0158
http://www.securitytracker.com/id/1040194
https://usn.ubuntu.com/3586-1/
Common Vulnerability Exposure (CVE) ID: CVE-2018-5732
Common Vulnerability Exposure (CVE) ID: CVE-2018-5733
BugTraq ID: 103188
http://www.securityfocus.com/bid/103188
https://lists.debian.org/debian-lts-announce/2018/03/msg00015.html
RedHat Security Advisories: RHSA-2018:0469
https://access.redhat.com/errata/RHSA-2018:0469
RedHat Security Advisories: RHSA-2018:0483
https://access.redhat.com/errata/RHSA-2018:0483
http://www.securitytracker.com/id/1040437
https://usn.ubuntu.com/3586-2/

Copyright Copyright (C) 2018 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.704133
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-4133-1)
Summary:	The remote host is missing an update for the Debian 'isc-dhcp' package(s) announced via the DSA-4133-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'isc-dhcp' package(s) announced via the DSA-4133-1 advisory. Vulnerability Insight: Several vulnerabilities have been discovered in the ISC DHCP client, relay and server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3144 It was discovered that the DHCP server does not properly clean up closed OMAPI connections, which can lead to exhaustion of the pool of socket descriptors available to the DHCP server, resulting in denial of service. CVE-2018-5732 Felix Wilhelm of the Google Security Team discovered that the DHCP client is prone to an out-of-bound memory access vulnerability when processing specially constructed DHCP options responses, resulting in potential execution of arbitrary code by a malicious DHCP server. CVE-2018-5733 Felix Wilhelm of the Google Security Team discovered that the DHCP server does not properly handle reference counting when processing client requests. A malicious client can take advantage of this flaw to cause a denial of service (dhcpd crash) by sending large amounts of traffic. For the oldstable distribution (jessie), these problems have been fixed in version 4.3.1-6+deb8u3. For the stable distribution (stretch), these problems have been fixed in version 4.3.5-3+deb9u1. We recommend that you upgrade your isc-dhcp packages. For the detailed security status of isc-dhcp please refer to its security tracker page at: [link moved to references] Affected Software/OS: 'isc-dhcp' package(s) on Debian 8, Debian 9. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2017-3144 BugTraq ID: 102726 http://www.securityfocus.com/bid/102726 Debian Security Information: DSA-4133 (Google Search) https://www.debian.org/security/2018/dsa-4133 RedHat Security Advisories: RHSA-2018:0158 https://access.redhat.com/errata/RHSA-2018:0158 http://www.securitytracker.com/id/1040194 https://usn.ubuntu.com/3586-1/ Common Vulnerability Exposure (CVE) ID: CVE-2018-5732 Common Vulnerability Exposure (CVE) ID: CVE-2018-5733 BugTraq ID: 103188 http://www.securityfocus.com/bid/103188 https://lists.debian.org/debian-lts-announce/2018/03/msg00015.html RedHat Security Advisories: RHSA-2018:0469 https://access.redhat.com/errata/RHSA-2018:0469 RedHat Security Advisories: RHSA-2018:0483 https://access.redhat.com/errata/RHSA-2018:0483 http://www.securitytracker.com/id/1040437 https://usn.ubuntu.com/3586-2/
Copyright	Copyright (C) 2018 Greenbone AG