A new vulnerability has been found in a popular open-source dhclient software, says the Internet Systems Consortium (ISC), a non-profit company that develops reference implementations of core Internet protocols such as BIND, DHCP server and client software. Windows and Mac OS X users are not affected by the flaw, though Linux, FreeBSD and other Unix-like variants could be exposed to the risk of remote code execution.

The security vulnerability can be exploited either by a rogue DHCP server, or by one that has been compromised, says security vendor Sophos. This is because the ISC dhclient failed to strip or escape certain shell meta-characters. The result is that shell code can be embedded in DHCP hostname replies to clients and executed with the privileges of the dhclient process. The flaw exists in versions prior to 3.1-ESV-R1, 4.1-ESV-R2 and 4.2.1-P1. As it is expected to take some time before the bug is fixed in all affected Linux distributions, administrators will probably want to check out the mitigation steps outlined in by the ISC in its advisory.

For more on this story:
- check out this blog at Sophos
- check out this article at eWeek

Related Articles:
RSA tells more about SecurID breach 
Firefox add-on Firesheep facilitates hijacking of Facebook, Twitter sessions 
New class of cyber attacks sidesteps existing defenses, says security vendor