An option refcount overflow exists in dhcpd
CVE-2022-2928
6.5MEDIUM
Summary
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.
Affected Version(s)
ISC DHCP 4.4.0 through versions before 4.4.3-P1
ISC DHCP 4.1 ESV 4.1-ESV-R1 through versions before 4.1-ESV-R16-P1
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database
Credit
ISC would like to thank VictorV of Cyber Kunlun Lab for discovering and reporting this issue.