| Fred Stluka on 26 Sep 2014 09:16:53 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security |
So, forget servers for a second. Let's talk clients (phones and laptops). Does that mean my laptop and my Android phone are vulnerable (if their DHCP clients use bash) whenever I walk into a Wegmans, Starbucks, client site, computer conference, friend's house, etc., when their DHCP clients connect to the local wireless router? That's a much bigger concern than the server issue. There are LOTS more clients than servers in the world, and almost all of them have sensitive data. --Fred ------------------------------------------------------------------------ Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/ Bristle Software, Inc -- http://bristle.com -- Glad to be of service! Open Source: Without walls and fences, we need no Windows or Gates. ------------------------------------------------------------------------ On 9/26/14 12:00 PM, Rich Freeman wrote:
On Fri, Sep 26, 2014 at 11:52 AM, Matt Mossholder <matt@mossholder.com> wrote:DHCP Clients do choose servers, but only from the set of servers that have responded to a DHCP Discover request. The steps are: 1) Client sends out a discover request. (DISCOVER)Sent to a broadcast address.2) All DHCP servers that receive the request will respond back (OFFER)Again, sent to a broadcast address.3) The client will choose a server to respond to, and ask for a lease. (REQUEST)Again, sent to a broadcast address.4) The selected server replys back with a lease. (ACK)Or any other malicious server that wants to spoof the reply from the selected server could do so, having intercepted all the other traffic above. At least, that is how I read the spec. And of course ANY host on the network can respond to the initial discover even if they're following the rest of the spec. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug