Vigil@nce - ISC DHCP: denials of service
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send two malicious packets to an ISC DHCP server,
in order to stop it.
Severity: 2/4
Creation date: 11/08/2011
IMPACTED PRODUCTS
– Debian Linux
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The BOOTP and DHCP protocols use compatible packet formats:
– 40 bytes: common headers
– sname (64 bytes): server name
– file (128 bytes): boot file name
– options (variable size): options (named "vendor-specific area"
in the RFC 951 of BOOTP, and limited to 64 bytes for BOOTP)
However, the ISC DHCP server does not correctly process the size
of these fields.
When a DHCP/BOOTP packet does not contain the sname/file fields,
the got_one() function of the common/discover.c file tries to
access them, so a memory read error occurs. [severity:2/4]
The cons_options() function of the common/options.c file does not
correctly compute the size of the "vendor-specific area" field of
BOOTP when it has to be truncated to 64 bytes. The ack_lease()
function of the server/dhcp.c file does not check if the pointer
to options is NULL, before dereferencing it. [severity:2/4]
An attacker can therefore send two malicious packets to an ISC
DHCP server, in order to stop it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ISC-DHCP-denials-of-service-10915