| Summary: | CVE-2016-2774 dhcp: unclosed TCP connections to OMAPI or failover ports can cause DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, jpopelka, sardella, security-response-team, slawomir, slong, tfrazier |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | dhcp 4.3.4, dhcp 4.1-ESV-R13 | Doc Type: | Bug Fix |
| Doc Text: |
A resource-consumption flaw was discovered in the DHCP server. dhcpd did not restrict the number of open connections to OMAPI and failover ports. A remote attacker able to establish TCP connections to one of these ports could use this flaw to cause dhcpd to exit unexpectedly, stop responding requests, or exhaust system sockets (denial of service).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:49:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1315614, 1329194 | ||
| Bug Blocks: | 1315262, 1323912 | ||
|
Description
Adam Mariš
2016-03-07 11:49:23 UTC
Acknowledgments: Name: ISC Created dhcp tracking bugs for this issue: Affects: fedora-all [bug 1315614] Upstream commit: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=0b209ea5cc333255e055113fa2ad636dda681a21 From 4.3.4b1 announcement: As mentioned in the recent security annoucement we found an issue with our handling of exccessive numbers of connections. While we beleive the best idea is for people to properly secure their DHCP severs (disable OMAPI if not in use, use firewalls to limit access to OMAPI and failove ports and use process limits to restrict the resources the servers can use) we have added code to limit the number of connections a server will allow. We have chosen 200 as the default number which should be large enough for most configurations. You may adjust this value by editing includes/site.h and changing the value of MAX_FD_VALUE. A value of 0 means unlimited. We will be evaluating the connection code in more detail in the future and may change how this works. [ISC-Bugs #41845] As noted in the upstream advisory, this issue only affects configuration that either enable OMAPI (Object Management API) port or use DHCP failover. Neither of those are default or commonly used. The dhcp packages in Red Hat Enterprise Linux do not include any default configuration, as it is network / deployment specific. The default dhcpd.conf points users to an example configuration file stored in /usr/share/doc/dhcp*. Examples included in the dhcp packages do not include any OMAPI or failover configuration. DHCP failover can be configured between two DHCP servers. Relevant configuration directive is "failover". The failover port (647 is the default port reserved for DHCP failover, but dhcpd can be configured to use other port) is only expected to be accessed by the configured failover peer. Additionally, upstream advisory notes that connections from any other IP than the one configured as failover peer are dropped, making it difficult to exploit this issue using the failover port. This issue can also be mitigated by configuring firewall / iptables restrictions and only allow access to the failover port from the IP address of the configured failover peer. ISC / upstream knowledge base articles with basic information about DHCP failover and its configuration: https://kb.isc.org/article/AA-01356/56/What-is-DHCP-Failover.html https://kb.isc.org/article/AA-00502/31/A-Basic-Guide-to-Configuring-DHCP-Failover.html The OMAPI interface can be used to query or modify status of a running DHCP server. It is enabled using the "omapi-port" configuration directive. The default port number is 7911. If the OMAPI interface is not actively used, it should be disabled. Otherwise, access to the OMAPI port can be restricted by firewall / iptables configuration. Typically, only few other trusted hosts need access to OMAPI, such as monitoring or configuration management stations. If access can not be restricted to few trusted IPs, this issue can be mitigated by limiting the number of connections to the OMAPI port, for example using the connlimit iptables extension. ISC / upstream knowledge base article with recommendations on how to secure OMAPI interface: https://kb.isc.org/article/AA-01355/56/Securing-dhcpd-against-unauthorised-OMAPI-control-connections.html Red Hat knowledge base article with few examples of connlimit use: https://access.redhat.com/solutions/32776 As typical dhcpd configurations do not use OMAPI and failover, they are not affected by this issue. The dhcpd configuration can be checked for the use of "failover" and "omapi-port" directives to detect possibly affected deployments. Note that when dhcpd configuration is stored in LDAP, it is not sufficient to only search dhcpd.conf file for those directives. The netstat tool can also be used to check if dhcpd has any open TCP sockets. dhcp-4.3.3-9.P1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. dhcp-4.3.4-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. dhcp-4.3.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2590 https://rhn.redhat.com/errata/RHSA-2016-2590.html |