An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.
Created systemd tracking bugs for this issue:
Affects: fedora-all [bug 1959398]
DHCP reconfigure extension RFC: https://datatracker.ietf.org/doc/html/rfc3203
Authentication for DHCP Messages RFC: https://datatracker.ietf.org/doc/html/rfc3118
systemd in upstream version v216 introduced partial support for DHCP FORCERENEW (RFC 3203) with . However authentication of FORCERENEW packets is not implemented, thus it is possible for an adjacent attacker on the local network to forge such packets and trick a system into re-accepting DHCPACK packets, which include all the network settings.
There is no available fix at this time for this issue, as upstream is considering this issue as a RFE rather than a vulnerability .
Temporary fix upstream, at least until RFC6704 (Forcerenew Nonce Authentication) is implemented:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:4361 https://access.redhat.com/errata/RHSA-2021:4361
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):