Vigil@nce - ISC DHCP: denial of service via Relay-Forward
November 2010 by Marc Jacob
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can send a malicious DHCPv6 packet, in order to stop
ISC DHCP.
Severity: 1/4
Creation date: 03/11/2010
DESCRIPTION OF THE VULNERABILITY
The RFC 3315 defines the DHCPv6 protocol for IPv6. The
Relay-forward message tracks forwarded DHCPv6 packets:
– msg-type : RELAY-FORW value
– hop-count : number of relays
– link-address : network address of the client
– peer-address : address of the last sender
– options
When the link-address field is empty, the shared_network_from_packet6()
function of the server/dhcpv6.c file dereferences a NULL pointer,
which stops the ISC DHCP server.
An attacker can therefore send a malicious DHCPv6 packet, in order
to stop ISC DHCP.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ISC-DHCP-denial-of-service-via-Relay-Forward-10094