An option refcount overflow exists in dhcpd

CVE-2022-2928

6.5MEDIUM

Key Information

Vendor: Isc
Status: Isc Dhcp
Vendor: CVE Published:; 7 October 2022

Badges

👾 Exploit Exists

Summary

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

Affected Version(s)

ISC DHCP = 4.4.0 through versions before 4.4.3-P1

ISC DHCP = 4.1 ESV 4.1-ESV-R1 through versions before 4.1-ESV-R16-P1

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Aug 3, 2024
Vulnerability published.
Oct 7, 2022
Vulnerability Reserved.
Aug 22, 2022

Collectors

NVD DatabaseMitre Database

Credit

ISC would like to thank VictorV of Cyber Kunlun Lab for discovering and reporting this issue.