I was screwed over by Cisco managers who enforced India's caste hierarchy on me in US HQ, claims engineer

US govt warns foreign hackers 'will likely try to exploit' critical firewall bypass bug in Palo Alto gear – patch now

The first rule of NoSQL DBaaS club is: You must talk about NoSQL DBaaS club. And Couchbase is in

MongoDB snares ex-Oracle engineering veep and AWS database guru as new CTO

'90s retro resurrection PowerToys hits 0.19, bringing raft of fixes and a final flash from the desktop

Firefox 78: Protections dashboard, new developer features... and the end of the line for older macOS versions

UK lawmakers welcome Microsoft's sack of training pressies for hard-pressed Brits as jobs searches spike

Germany is helping the UK develop its COVID-19 contact-tracing app, says ambassador

Details of Beijing's new Hong Kong security law revealed: Signals end to more than two decades of autonomy

Tune in and watch live right here this week – it's your email encryption wake-up call

Things that happen every four years: Olympic Games, Presidential elections, and now new Mac ransomware

After six months of stonewalling by Apple, app dev goes public with macOS privacy protection bypass

Continuous Lifecycle Online: Just like our London conference – but in your own home. Grab tickets now

Containers to capture 15% of all enterprise apps across 75% of business by 2024

HashiCorp Cloud Platform unveiled – but in private beta for AWS only

Microsoft snubs Service Fabric as it plots to switch Teams infrastructure to Kubernetes

Happy privacy action day in California: If you don't have 'Do not sell my information' in your website footer, you need to read this story right now

Never knowingly under-digitally transformed: Retailer John Lewis outsources tech function to Wipro

Capgemini bags £40m to provide IT and dev support for the UK's Financial Services Compensation Scheme

The internet becomes trademarkable, sort of, with near-unanimous Supreme Court ruling on Booking.com

Hats off to the brave 7%ers who dived into the Windows 10 May 2020 Update within a month of release

Chinese mobe flinger OPPO aims £219 A72 handset at penny-pinching Brit youth

MediaTek trumpets cheap gaming chipsets for strange subset of people who enjoy PUBG on their smartphone

Leaked benchmarks from developer kit for Apple's home-baked silicon appear to give Microsoft a run for its money

Geek's Guide

The Moon certainly ain't made of cheese but it may be made of more metal than previously thought, sensor shows

Born slippy: NASA Mars rover Perseverance to persevere on Earth a little longer as launch date pushed back again

Boffins baffled as supergiant star just vanishes – either it partially blew itself apart or quietly turned into a black hole

Two out of three parachutes... is just as planned for Boeing's Starliner this time around

It's a tough time for digital transformation in the financial services world – but fret not, there’s help at hand

Huawei develops epidemic prevention and control solutions for safer travel

Rental electric scooters to clutter UK street scenes after Department of Transport gives year-long trial the thumbs-up

MIT apologizes, permanently pulls offline huge dataset that taught AI systems to use racist, misogynistic slurs

Verity Stob

Hey, Boeing. Don't celebrate your first post-grounding 737 Max test flight too hard. You just lost another big contract

Someone must be bricking it: UK govt website for first-time home buyers snapped up for £40,000 after left to expire

Now that's a train delay Upminster with which London travellers shall not put

It's National Cream Tea Day and this time we end the age-old debate once and for all: How do you eat yours?

Security

Popular open source DHCP program open to hack attacks

Beware of rogue meta-characters

Thu 7 Apr 2011 // 00:21 UTC 13

Got Tips?

Dan Goodin Bio Email

The makers of the internet's most popular open source DHCP program have warned that it's vulnerable to hacks that allow attackers to remotely execute malicious code on underlying machines.

The flaw, which is present in Internet Systems Consortium's DHCP versions prior to 3.1-ESV-R1, 4.1-ESV-R2, and 4.2.1-P1, stems from the program's failure to block commands that contain certain meta-characters. The vulnerability makes it possible for rogue servers on a targeted network to remotely execute malicious code on the client, the non-profit ISC warned on Tuesday.

ISC advises users to upgrade. Users can in some cases follow workarounds, which include disabling hostname updates or configuring their systems to access only legitimate DHCP servers in settings where access control lists are in place.

Short for Dynamic Host Configuration Protocol, DHCP is a system for automatically assigning computers IP addresses on a given network and helping administrators to keep track of those assignments. ISC says its DHCP program is the most widely used open source DHCP implementation on the Internet.

Sophos has more about the vulnerability here. ®

Tips and corrections

13 Comments

MORE
Security

Keep Reading

To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

Welp, at least that's better than industry averages, says code-hosting biz

Let's authenticate: Beyond Identity pitches app-wrapped certificate authority

Enclave-bound service aims to be another nail in the password coffin

Money laundering and crypto-coin legislation could hurt open-source ecosystem – activists

Rights groups slam UK.gov's customer due diligence plans

Singapore to require smartphone check-ins at all businesses and will log visitors' national identity numbers

Even parks and train stations encouraged to use QR codes. Which may show the limits of Bluetooth contact-tracing!

Europe's digital identity system needs patching after can_we_trust_this function call ignored

ExplicitKeyTrustEvaluator... True, false? Who cares, just accept it anyway

UK.gov drives ever further into Nocluesville, crowdsources how to solve digital identity

Look, we're all of out ideas!

Hack computers to steal someone's identity in China? Why? You can just buy one from a bumpkin for, like, $3k

Black Hat Exploit an 3l33t zero-day and reverse-shell that backend DB proxy server... or simply pay this farmer off

Google Cloud woos the open source crew with cash-rich kisses for coder's compute time

Next '19 SF shindig kicks off with a rocket for Bezos & Co

ABOUT US

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR NEWSLETTERS

Join our daily or weekly newsletters, subscribe to a specific section or set News alerts

Subscribe

Do not sell my personal information Cookies Privacy Ts&Cs

I was screwed over by Cisco managers who enforced India's caste hierarchy on me in US HQ, claims engineer

US govt warns foreign hackers 'will likely try to exploit' critical firewall bypass bug in Palo Alto gear – patch now

The first rule of NoSQL DBaaS club is: You must talk about NoSQL DBaaS club. And Couchbase is in

MongoDB snares ex-Oracle engineering veep and AWS database guru as new CTO

'90s retro resurrection PowerToys hits 0.19, bringing raft of fixes and a final flash from the desktop

Firefox 78: Protections dashboard, new developer features... and the end of the line for older macOS versions

UK lawmakers welcome Microsoft's sack of training pressies for hard-pressed Brits as jobs searches spike

Germany is helping the UK develop its COVID-19 contact-tracing app, says ambassador

Details of Beijing's new Hong Kong security law revealed: Signals end to more than two decades of autonomy

Tune in and watch live right here this week – it's your email encryption wake-up call

Things that happen every four years: Olympic Games, Presidential elections, and now new Mac ransomware

After six months of stonewalling by Apple, app dev goes public with macOS privacy protection bypass

Continuous Lifecycle Online: Just like our London conference – but in your own home. Grab tickets now

Containers to capture 15% of all enterprise apps across 75% of business by 2024

HashiCorp Cloud Platform unveiled – but in private beta for AWS only

Microsoft snubs Service Fabric as it plots to switch Teams infrastructure to Kubernetes

Happy privacy action day in California: If you don't have 'Do not sell my information' in your website footer, you need to read this story right now

Never knowingly under-digitally transformed: Retailer John Lewis outsources tech function to Wipro

Capgemini bags £40m to provide IT and dev support for the UK's Financial Services Compensation Scheme

The internet becomes trademarkable, sort of, with near-unanimous Supreme Court ruling on Booking.com

Hats off to the brave 7%ers who dived into the Windows 10 May 2020 Update within a month of release

Chinese mobe flinger OPPO aims £219 A72 handset at penny-pinching Brit youth

MediaTek trumpets cheap gaming chipsets for strange subset of people who enjoy PUBG on their smartphone

Leaked benchmarks from developer kit for Apple's home-baked silicon appear to give Microsoft a run for its money

The Moon certainly ain't made of cheese but it may be made of more metal than previously thought, sensor shows

Born slippy: NASA Mars rover Perseverance to persevere on Earth a little longer as launch date pushed back again

Boffins baffled as supergiant star just vanishes – either it partially blew itself apart or quietly turned into a black hole

Two out of three parachutes... is just as planned for Boeing's Starliner this time around

It's a tough time for digital transformation in the financial services world – but fret not, there’s help at hand

Huawei develops epidemic prevention and control solutions for safer travel

Rental electric scooters to clutter UK street scenes after Department of Transport gives year-long trial the thumbs-up

MIT apologizes, permanently pulls offline huge dataset that taught AI systems to use racist, misogynistic slurs

Hey, Boeing. Don't celebrate your first post-grounding 737 Max test flight too hard. You just lost another big contract

Someone must be bricking it: UK govt website for first-time home buyers snapped up for £40,000 after left to expire

Now that's a train delay Upminster with which London travellers shall not put

It's National Cream Tea Day and this time we end the age-old debate once and for all: How do you eat yours?

Security

Popular open source DHCP program open to hack attacks

Beware of rogue meta-characters

Most Read

'It's really hard to find maintainers...' Linus Torvalds ponders the future of Linux

MIT apologizes, permanently pulls offline huge dataset that taught AI systems to use racist, misogynistic slurs

It’s happened again: AT&T sued for allegedly transferring victim's number to thieves in $1.9m cryptocoin heist

LibreOffice slips out another 7.0 beta: Spreadsheets close gap with Excel while macOS users treated to new icons

After six months of stonewalling by Apple, app dev goes public with macOS privacy protection bypass

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Keep Reading

To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

Let's authenticate: Beyond Identity pitches app-wrapped certificate authority

Money laundering and crypto-coin legislation could hurt open-source ecosystem – activists

Singapore to require smartphone check-ins at all businesses and will log visitors' national identity numbers

Europe's digital identity system needs patching after can_we_trust_this function call ignored

UK.gov drives ever further into Nocluesville, crowdsources how to solve digital identity

Hack computers to steal someone's identity in China? Why? You can just buy one from a bumpkin for, like, $3k

Google Cloud woos the open source crew with cash-rich kisses for coder's compute time

Tech Resources

Managing Threat Intelligence Playbook

Unlocking the Cloud-Native Data Layer

Comprehensive Kubernetes Observability at Scale

Guide to Antivirus (AV) Replacement

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

SIGN UP TO OUR NEWSLETTERS