suppress message -> ISC DHCP has reached end-of-life
-
@tgl said in suppress message -> ISC DHCP has reached end-of-life:
I do not understand why pfSense is labeling ISC as "deprecated" while not admitting that Kea is "alpha-quality".
Easy. They figured out that when you throw ISC DHCP into whatever search engine, you'll see the author of ISC DHCP saying the same thing for a a couple of years now.
Btw : don't worry, this info was actually know by everybody that uses ISC DHCP, like pfSense admins etc. Like everybody knows that Windows 7, 8 and 10 shouldn't be used anymore (and half the planet is still knowingly doing so).
They, ISC, have been working on a new DHCP server KEA for the last several years, and it's production ready.
The only thing that is 'new' and needs some more polishing, is the GUI pfSense front end. KEA, the server, is very usable. The upcoming 24.x and 2.8.x will addresses outstanding issues like DHCP options etc.
As the author of DHCP and KEA says : KEA is usable, but there are some conditions.
So, Netgate decided to relay the info, and have he user base 'play' with them both, and while doing so getting the needed feedback so they know where to prioritize their coding (GUI) attention.@johnpoz types faster ^^
-
ISC DHCP has CVE major issues. VLAN hopping, VLAN leaking unauthorized access. Big issues. Please move to KEA ASAP
Says the guy still running 23.09.01 with ISC..
If my crypto chip worked in 24 I would be running KEA in a second -
@JonathanLee and were are these so called major CVEs - please link to them.. I don't see how some application could have anything to do with vlan hoping..
https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-17706/ISC-Dhcp.html
-
@johnpoz I will have to find it. I remember reading something while in college about it. I think it was a metasploit or something, I will look for it and post info.
-
@JonathanLee if it was such a major CVE, why would it not be listed on the link I posted too? How could a dhcpd be used to hop vlans? Even if it handed you an IP from the wrong scope - that doesn't get you to another vlan.. Most of the CVEs I have seen about isc dhcpd have been related to crashing dhcpd and causing some sort of dos..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
https://www.cisa.gov/news-events/alerts/2024/02/13/isc-releases-security-advisories-bind-9
It’s related to bind
I have seen something a couple years ago, it was on vulnhub and or a metasploit. Leaking memory and accessing other vlans
Trust me it is out there…
Older versions of pen testing software something had it.
-
https://kb.isc.org/docs/cve-2022-2929
Leaking memory one, this one too. I don’t think KEA has the same issues.
-
@JonathanLee said in suppress message -> ISC DHCP has reached end-of-life:
tps://kb.isc.org/docs/cve-2022-2929
And the fix for that is 4.4.3-P1, which is what is currently used in 23.09.1
What does bind have to do with users moving to kea? If your going to try and scare people - "ISC DHCP has CVE major issue" "Please move to KEA ASAP"
For gosh sake have some actual credible reason..
-
@johnpoz did it work? Are you using KEA? :)
-
@JonathanLee hahaha, no I am not using kea.. You making jokes now - hahah
-
I'm not using Kea on my local router either. Yet. There's nothing exploitable I'm aware of in ISC that I'm worried about. Also yet!
-
See I fixed it no error :)
-
@JonathanLee I was on ISC to start with and someone here suggested it because .. it's going to be depreciated RSN (real soon now)
Then I read (as I was considering going back to KEA since ISC didn't resolve my issue and I read a few reports that going back breaks a bunch of stuff leaving you to do it all over again from the beginning.
Since I'm in sponge mode currently .. I want to resolve all the lil things I have going on and sort out my understanding of firewall rules before "doing it over again"
-
@Tacyon if your on pfSense plus just create a boot environment to test with and after if it doesn’t work just go back to that BE. I really like the BE I play with stuff all the time and I am able to quickly normalize a stable version at the push of a button for my family when they are home
-
@Tacyon ISC was an amazing set of software. I wonder what made that team so successful for so long. It’s got to come down to a great team of people they had. I hope that pfSense can get some of those programmers to help out one day. Who knows why it is depreciated. It worked well for a long time, still does. Again the longer it goes with no updates the more vulnerable it will become.
Make sure to upvote
-
@JonathanLee Kea is ISC's follow-on to their old DHCP code; it's not like those people just disappeared into the ether. You can read their statement about the differences between the products here.
TBH, my take on it is that they felt they needed to have some proprietary add-on products, which the ISC DHCP codebase and licensing didn't really leave any room for. That's fine though, at the end of the day we all need to make some money.
-
@JonathanLee said in suppress message -> ISC DHCP has reached end-of-life:
ISC was an amazing set of software. I wonder what made that team so successful for so long.
Kea is produced by the same ISC group, so not sure what you mean. It's mostly the exact same folks. And ISC is the name of the company, not the software name.
ISC produces a DHCP server, a DHCP client, the BIND name server daemon, and now Kea to replace the aging DHCP server. Here is their website: https://www.isc.org/ showing their products (scroll down the page a bit).
-
@JonathanLee - nope ... 2.7.2 CE from Dec of last year.
