Bug 1963258 (CVE-2021-25217)
Summary: | CVE-2021-25217 dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | caswilli, darunesh, dblechte, dfediuck, eedri, fcanogab, jlyle, kaycoth, mgoldboi, michal.skrivanek, nobody, pasteur, pemensik, pzhukov, sbonazzo, security-response-team, sherold, simon.matter, yturgema | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | dhcp 4.4.2-P1, dhcp 4.1-ESV-R16-P1 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: |
A flaw was found in the Dynamic Host Configuration Protocol (DHCP). There is a discrepancy between the code that handles encapsulated option information in leases transmitted "on the wire" and the code which reads and parses lease information after it has been written to disk storage. This flaw allows an attacker to deliberately cause a situation where dhcpd while running in DHCPv4 or DHCPv6 mode, or the dhclient attempts to read a stored lease that contains option information, to trigger a stack-based buffer overflow in the option parsing code for colon-separated hex digits values. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2021-06-09 15:05:41 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1963994, 1963995, 1963803, 1963804, 1963805, 1963806, 1963807, 1963808, 1963809, 1963996, 1964840, 1964841, 1964842, 1964843, 1964844, 1964871, 1964873, 1965199, 1971490 | ||||||||
Bug Blocks: | 1963259 | ||||||||
Attachments: |
|
Description
Guilherme de Almeida Suckevicz
2021-05-21 20:02:59 UTC
Created attachment 1786774 [details]
Upstream patch for 4.4.2
Created attachment 1786775 [details]
Upstream patch for 4.1-ESV-R16
The issue is in function parse_X, which is used to parse DHCP lease options marked with "X" format. Those options accept either an ASCII string or binary data passed as colon-separated hex list. As an example, `option dhcp-client-identifier 1:1:1:1:1;` is such an option. Function parse_X copies the read data to a provided buffer `buf` of maximum length `max`. If the option contains a string, `max` is correctly checked to make sure that data are not written out-of-bounds, however if the option contains a list of hexadecimal values the logic to check the `max` length is wrong, allowing to write up to 2 bytes out-of-bounds with arbitrary data. parse_X is called from parse_option_decl, which defines the buffer hunkbuf on the stack. hunkbuf is passed to parse_X, thus this is a stack-based buffer overflow. In reply to comment #5: > The issue is in function parse_X, which is used to parse DHCP lease options marked with "X" format. Those options accept either an ASCII string or binary data passed as colon-separated hex list. As an example, `option dhcp-client-identifier 1:1:1:1:1;` is such an option. parse_X is also used to parse many other DHCP statements of the type ASCII string or binary data (e.g. default-duid) both for dhclient config and lease files and dhcpd config files. In reply to comment #6: > parse_X is called from parse_option_decl, which defines the buffer hunkbuf > on the stack. hunkbuf is passed to parse_X, thus this is a stack-based > buffer overflow. There are other places in clparse.c and confpars.c where parse_X function is used. All of them seem to use a buffer allocated on the stack. Considering that it is possible to overwrite buffers on the stack by just few bytes, the impact of this flaw depends also on the architecture, on what is placed, at compilation time, after those buffers and compilation flags/choices. Upstream details about the flaw: https://kb.isc.org/docs/cve-2021-25217 Created dhcp tracking bugs for this issue: Affects: fedora-all [bug 1965199] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2359 https://access.redhat.com/errata/RHSA-2021:2359 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2357 https://access.redhat.com/errata/RHSA-2021:2357 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-25217 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:2405 https://access.redhat.com/errata/RHSA-2021:2405 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2021:2418 https://access.redhat.com/errata/RHSA-2021:2418 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2021:2415 https://access.redhat.com/errata/RHSA-2021:2415 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2021:2414 https://access.redhat.com/errata/RHSA-2021:2414 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:2416 https://access.redhat.com/errata/RHSA-2021:2416 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2021:2419 https://access.redhat.com/errata/RHSA-2021:2419 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2420 https://access.redhat.com/errata/RHSA-2021:2420 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2021:2469 https://access.redhat.com/errata/RHSA-2021:2469 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2021:2519 https://access.redhat.com/errata/RHSA-2021:2519 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2555 https://access.redhat.com/errata/RHSA-2021:2555 |