An option refcount overflow exists in dhcpd

CVE-2022-2928

6.5MEDIUM

Key Information

Vendor
Isc
Status
Isc Dhcp
Vendor
CVE Published:
7 October 2022

Badges

๐Ÿ‘พ Exploit Exists

Summary

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

Affected Version(s)

ISC DHCP 4.4.0 through versions before 4.4.3-P1

ISC DHCP 4.1 ESV 4.1-ESV-R1 through versions before 4.1-ESV-R16-P1

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

ISC would like to thank VictorV of Cyber Kunlun Lab for discovering and reporting this issue.
.