Bug 2132002 (CVE-2022-2928)

Summary: CVE-2022-2928 dhcp: option refcount overflow when leasequery is enabled leading to dhcpd abort
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caswilli, dffrench, gzaronik, Javier.Peinado, jburrell, jkoehler, jorton, kaycoth, mosvald, ngough, pavel, pemensik, rgodfrey, security-response-team, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dhcp 4.4.3-P1, dhcp 4.1-ESV-R16-P2 Doc Type: If docs needed, set a value
Doc Text:
An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to lease query packets. Each lease query response calls this function for several options. Hence, a DHCP server configured with "allow lease query," a remote machine with access to the server, can send lease queries for the same lease multiple times, leading to the "add_option()" function being called repeatedly. This issue could cause the reference counters to overflow and the server to abort or crash.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 16:53:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2132248, 2132249, 2132429    
Bug Blocks: 2131939    

Description TEJ RATHI 2022-10-04 12:39:54 UTC
A vulnerability was found in DHCP, where, a DHCP server configured with "allow leasequery;", a remote machine with access to the server can send lease queries for the same lease multiple times, leading to the "add_option()" function being repeatedly called. This could cause an option's "refcount" field to overflow and the server to abort. Internally, reference counters are integers and thus overflow at 2^31 references, so even at 1000 lease query responses per second, it would take more than three weeks to crash the server.

Versions affected:

- 4.1-ESV-R1 -> 4.1-ESV-R16-P1
- 4.4.0 -> 4.4.3

Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series), it is probable,
all versions after the introduction of lease query in ISC DHCP 3.0 are affected.

Comment 5 Guilherme de Almeida Suckevicz 2022-10-05 16:36:05 UTC
Created dhcp tracking bugs for this issue:

Affects: fedora-all [bug 2132429]

Comment 7 errata-xmlrpc 2023-05-09 07:54:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2502 https://access.redhat.com/errata/RHSA-2023:2502

Comment 8 errata-xmlrpc 2023-05-16 08:41:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3000 https://access.redhat.com/errata/RHSA-2023:3000

Comment 9 Product Security DevOps Team 2023-05-16 16:53:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2928