Bug 1549961 (CVE-2018-5733)

Summary: CVE-2018-5733 dhcp: Reference count overflow in dhcpd allows denial of service
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apmukher, dcantrell, dkholia, jpopelka, pemensik, pzhukov, security-response-team, thozza, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dhcp 4.1-ESV-R15-P1, dhcp 4.3.6-P1, dhcp 4.4.1 Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was found in the way dhcpd handled reference counting when processing client requests. A malicious DHCP client could use this flaw to trigger a reference count overflow on the server side, potentially causing dhcpd to crash, by sending large amounts of traffic.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-13 09:03:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1549999, 1550000, 1550084, 1550085, 1550246, 1550249    
Bug Blocks: 1549964    

Description Adam Mariš 2018-02-28 07:32:47 UTC 
A malicious client which is allowed to send very large amounts of traffic (billions of packets) to a DHCP server can eventually overflow a 32-bit reference counter, potentially causing dhcpd to crash.

Versions of DHCP affected: 4.1.0 -> 4.1-ESV-R15, 4.2.0 -> 4.2.8, 4.3.0 -> 4.3.6, 4.4.0
Comment 1 Adam Mariš 2018-02-28 07:32:50 UTC 
Acknowledgments:

Name: ISC
Upstream: Felix Wilhelm (Google)
Comment 5 Tomas Hoger 2018-02-28 20:31:16 UTC 
Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01567
Comment 6 Tomas Hoger 2018-02-28 20:31:55 UTC 
Created dhcp tracking bugs for this issue:

Affects: fedora-all [bug 1550246]
Comment 8 Tomas Hoger 2018-03-01 12:40:22 UTC 
Upstream commit:

https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=197b26f25309f947b97a83b8fdfc414b767798f8

Upstream bug (not public):

https://bugs.isc.org/Public/Bug/Display.html?id=47140
Comment 9 errata-xmlrpc 2018-03-09 10:06:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:0469 https://access.redhat.com/errata/RHSA-2018:0469
Comment 10 errata-xmlrpc 2018-03-12 18:46:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0483 https://access.redhat.com/errata/RHSA-2018:0483