2132002 – (CVE-2022-2928) CVE-2022-2928 dhcp: option refcount overflow when leasequery is enabled leading to dhcpd abort

Bug 2132002 (CVE-2022-2928) - CVE-2022-2928 dhcp: option refcount overflow when leasequery is enabled leading to dhcpd abort

Summary: CVE-2022-2928 dhcp: option refcount overflow when leasequery is enabled leadi...

Keywords:
Status:	NEW
Alias:	CVE-2022-2928
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2132248 2132249 2132429
Blocks:	2131939
TreeView+	depends on / blocked

Reported:	2022-10-04 12:39 UTC by TEJ RATHI
Modified:	2022-11-29 04:32 UTC (History)
CC List:	17 users (show)
Fixed In Version:	dhcp 4.4.3-P1, dhcp 4.1-ESV-R16-P2
Doc Type:	If docs needed, set a value
Doc Text:	An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to lease query packets. Each lease query response calls this function for several options. Hence, a DHCP server configured with "allow lease query," a remote machine with access to the server, can send lease queries for the same lease multiple times, leading to the "add_option()" function being called repeatedly. This issue could cause the reference counters to overflow and the server to abort or crash.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description TEJ RATHI 2022-10-04 12:39:54 UTC

A vulnerability was found in DHCP, where, a DHCP server configured with "allow leasequery;", a remote machine with access to the server can send lease queries for the same lease multiple times, leading to the "add_option()" function being repeatedly called. This could cause an option's "refcount" field to overflow and the server to abort. Internally, reference counters are integers and thus overflow at 2^31 references, so even at 1000 lease query responses per second, it would take more than three weeks to crash the server.

Versions affected:

- 4.1-ESV-R1 -> 4.1-ESV-R16-P1
- 4.4.0 -> 4.4.3

Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series), it is probable,
all versions after the introduction of lease query in ISC DHCP 3.0 are affected.

Comment 5 Guilherme de Almeida Suckevicz 2022-10-05 16:36:05 UTC

Created dhcp tracking bugs for this issue:

Affects: fedora-all [bug 2132429]

Note You need to log in before you can comment on or make changes to this bug.