Bug 1963258 (CVE-2021-25217)

Summary: CVE-2021-25217 dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caswilli, darunesh, dblechte, dfediuck, eedri, fcanogab, jlyle, kaycoth, mgoldboi, michal.skrivanek, nobody, pasteur, pemensik, pzhukov, sbonazzo, security-response-team, sherold, simon.matter, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dhcp 4.4.2-P1, dhcp 4.1-ESV-R16-P1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Dynamic Host Configuration Protocol (DHCP). There is a discrepancy between the code that handles encapsulated option information in leases transmitted "on the wire" and the code which reads and parses lease information after it has been written to disk storage. This flaw allows an attacker to deliberately cause a situation where dhcpd while running in DHCPv4 or DHCPv6 mode, or the dhclient attempts to read a stored lease that contains option information, to trigger a stack-based buffer overflow in the option parsing code for colon-separated hex digits values. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-09 15:05:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1963994, 1963995, 1963803, 1963804, 1963805, 1963806, 1963807, 1963808, 1963809, 1963996, 1964840, 1964841, 1964842, 1964843, 1964844, 1964871, 1964873, 1965199, 1971490    
Bug Blocks: 1963259    
Attachments:
Description Flags
Upstream patch for 4.4.2
none
Upstream patch for 4.1-ESV-R16 none

Description Guilherme de Almeida Suckevicz 2021-05-21 20:02:59 UTC
Program code used by the ISC DHCP package to read and parse stored leases has a defect that can be exploited by an attacker to cause one of several undesirable outcomes, depending on the component attacked and the way in which it was compiled.

Because of a discrepancy between the code which handles encapsulated option information in leases transmitted "on the wire" and the code which reads and parses lease information after it has been written to disk storage, it is potentially possible for an attacker to deliberately cause a situation where:

-  dhcpd, while running in DHCPv4 or DHCPv6 mode, or
-  dhclient, the ISC DHCP client implementation

will attempt to read a stored lease that contains option information which will trigger a bug in the option parsing code.

Comment 3 Tomas Hoger 2021-05-25 08:54:42 UTC
Created attachment 1786774 [details]
Upstream patch for 4.4.2

Comment 4 Tomas Hoger 2021-05-25 08:55:21 UTC
Created attachment 1786775 [details]
Upstream patch for 4.1-ESV-R16

Comment 5 Riccardo Schirone 2021-05-25 10:40:49 UTC
The issue is in function parse_X, which is used to parse DHCP lease options marked with "X" format. Those options accept either an ASCII string or binary data passed as colon-separated hex list. As an example, `option dhcp-client-identifier 1:1:1:1:1;` is such an option.

Function parse_X copies the read data to a provided buffer `buf` of maximum length `max`. If the option contains a string, `max` is correctly checked to make sure that data are not written out-of-bounds, however if the option contains a list of hexadecimal values the logic to check the `max` length is wrong, allowing to write up to 2 bytes out-of-bounds with arbitrary data.

Comment 6 Riccardo Schirone 2021-05-25 13:31:07 UTC
parse_X is called from parse_option_decl, which defines the buffer hunkbuf on the stack. hunkbuf is passed to parse_X, thus this is a stack-based buffer overflow.

Comment 8 Riccardo Schirone 2021-05-25 14:25:20 UTC
In reply to comment #5:
> The issue is in function parse_X, which is used to parse DHCP lease options marked with "X" format. Those options accept either an ASCII string or binary data passed as colon-separated hex list. As an example, `option dhcp-client-identifier 1:1:1:1:1;` is such an option.

parse_X is also used to parse many other DHCP statements of the type ASCII string or binary data (e.g. default-duid) both for dhclient config and lease files and dhcpd config files.

In reply to comment #6:
> parse_X is called from parse_option_decl, which defines the buffer hunkbuf
> on the stack. hunkbuf is passed to parse_X, thus this is a stack-based
> buffer overflow.

There are other places in clparse.c and confpars.c where parse_X function is used. All of them seem to use a buffer allocated on the stack.

Comment 9 Riccardo Schirone 2021-05-25 16:49:28 UTC
Considering that it is possible to overwrite buffers on the stack by just few bytes, the impact of this flaw depends also on the architecture, on what is placed, at compilation time, after those buffers and compilation flags/choices.

Comment 13 Riccardo Schirone 2021-05-27 06:59:46 UTC
Upstream details about the flaw:
https://kb.isc.org/docs/cve-2021-25217

Comment 14 Riccardo Schirone 2021-05-27 07:02:30 UTC
Created dhcp tracking bugs for this issue:

Affects: fedora-all [bug 1965199]

Comment 15 errata-xmlrpc 2021-06-09 10:54:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2359 https://access.redhat.com/errata/RHSA-2021:2359

Comment 16 errata-xmlrpc 2021-06-09 10:56:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2357 https://access.redhat.com/errata/RHSA-2021:2357

Comment 17 Product Security DevOps Team 2021-06-09 15:05:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25217

Comment 19 errata-xmlrpc 2021-06-14 14:34:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2405 https://access.redhat.com/errata/RHSA-2021:2405

Comment 20 errata-xmlrpc 2021-06-14 19:29:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:2418 https://access.redhat.com/errata/RHSA-2021:2418

Comment 21 errata-xmlrpc 2021-06-14 19:32:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:2415 https://access.redhat.com/errata/RHSA-2021:2415

Comment 22 errata-xmlrpc 2021-06-14 19:50:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:2414 https://access.redhat.com/errata/RHSA-2021:2414

Comment 23 errata-xmlrpc 2021-06-14 20:06:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2416 https://access.redhat.com/errata/RHSA-2021:2416

Comment 24 errata-xmlrpc 2021-06-14 20:31:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2021:2419 https://access.redhat.com/errata/RHSA-2021:2419

Comment 25 errata-xmlrpc 2021-06-14 20:57:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2420 https://access.redhat.com/errata/RHSA-2021:2420

Comment 26 errata-xmlrpc 2021-06-17 11:37:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:2469 https://access.redhat.com/errata/RHSA-2021:2469

Comment 27 errata-xmlrpc 2021-06-22 13:20:34 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:2519 https://access.redhat.com/errata/RHSA-2021:2519

Comment 29 errata-xmlrpc 2021-07-06 11:29:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2555 https://access.redhat.com/errata/RHSA-2021:2555