Program code used by the ISC DHCP package to read and parse stored leases has a defect that can be exploited by an attacker to cause one of several undesirable outcomes, depending on the component attacked and the way in which it was compiled. Because of a discrepancy between the code which handles encapsulated option information in leases transmitted "on the wire" and the code which reads and parses lease information after it has been written to disk storage, it is potentially possible for an attacker to deliberately cause a situation where: - dhcpd, while running in DHCPv4 or DHCPv6 mode, or - dhclient, the ISC DHCP client implementation will attempt to read a stored lease that contains option information which will trigger a bug in the option parsing code.
Created attachment 1786774 [details] Upstream patch for 4.4.2
Created attachment 1786775 [details] Upstream patch for 4.1-ESV-R16
The issue is in function parse_X, which is used to parse DHCP lease options marked with "X" format. Those options accept either an ASCII string or binary data passed as colon-separated hex list. As an example, `option dhcp-client-identifier 1:1:1:1:1;` is such an option. Function parse_X copies the read data to a provided buffer `buf` of maximum length `max`. If the option contains a string, `max` is correctly checked to make sure that data are not written out-of-bounds, however if the option contains a list of hexadecimal values the logic to check the `max` length is wrong, allowing to write up to 2 bytes out-of-bounds with arbitrary data.
parse_X is called from parse_option_decl, which defines the buffer hunkbuf on the stack. hunkbuf is passed to parse_X, thus this is a stack-based buffer overflow.
In reply to comment #5: > The issue is in function parse_X, which is used to parse DHCP lease options marked with "X" format. Those options accept either an ASCII string or binary data passed as colon-separated hex list. As an example, `option dhcp-client-identifier 1:1:1:1:1;` is such an option. parse_X is also used to parse many other DHCP statements of the type ASCII string or binary data (e.g. default-duid) both for dhclient config and lease files and dhcpd config files. In reply to comment #6: > parse_X is called from parse_option_decl, which defines the buffer hunkbuf > on the stack. hunkbuf is passed to parse_X, thus this is a stack-based > buffer overflow. There are other places in clparse.c and confpars.c where parse_X function is used. All of them seem to use a buffer allocated on the stack.
Considering that it is possible to overwrite buffers on the stack by just few bytes, the impact of this flaw depends also on the architecture, on what is placed, at compilation time, after those buffers and compilation flags/choices.
Upstream details about the flaw: https://kb.isc.org/docs/cve-2021-25217
Created dhcp tracking bugs for this issue: Affects: fedora-all [bug 1965199]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2359 https://access.redhat.com/errata/RHSA-2021:2359
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2357 https://access.redhat.com/errata/RHSA-2021:2357
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-25217
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:2405 https://access.redhat.com/errata/RHSA-2021:2405
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2021:2418 https://access.redhat.com/errata/RHSA-2021:2418
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2021:2415 https://access.redhat.com/errata/RHSA-2021:2415
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2021:2414 https://access.redhat.com/errata/RHSA-2021:2414
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:2416 https://access.redhat.com/errata/RHSA-2021:2416
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2021:2419 https://access.redhat.com/errata/RHSA-2021:2419
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2420 https://access.redhat.com/errata/RHSA-2021:2420
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2021:2469 https://access.redhat.com/errata/RHSA-2021:2469
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2021:2519 https://access.redhat.com/errata/RHSA-2021:2519
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2555 https://access.redhat.com/errata/RHSA-2021:2555