cnvd - cnvd-2022-87943

cnvd-2022-87943

Vulnerability from cnvd

Title: ISC DHCP拒绝服务漏洞

Description:

ISC DHCP是美国ISC公司的一套开源的动态主机配置协议服务器软件。

ISC DHCP存在拒绝服务漏洞，该漏洞源于当从add_option()调用函数option_code_hash_lookup()时，它会增加选项的refcount字段，但是未对option_dereference()的相应调用来减少refcount字段，函数add_option()仅用于服务器对租约查询数据包的响应，每个租约查询响应都会为多个选项调用此函数，攻击者可利用漏洞触发引用计数器溢出，导致拒绝服务。

Severity: 中

Patch Name: ISC DHCP拒绝服务漏洞的补丁

Patch Description:

ISC DHCP是美国ISC公司的一套开源的动态主机配置协议服务器软件。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/isc-projects/dhcp/releases/tag/v4_4_2b1_f2

Reference: https://kb.isc.org/docs/cve-2022-2928

Impacted products

Name
['ISC DHCP >=4.4.0，<=4.4.3', 'ISC DHCP 4.1-esv r1', 'ISC DHCP 4.1-esv r10', 'ISC DHCP 4.1-esv r10_b1', 'ISC DHCP 4.1-esv r10_rc1', 'ISC DHCP 4.1-esv r10b1', 'ISC DHCP 4.1-esv r10rc1', 'ISC DHCP 4.1-esv r11', 'ISC DHCP 4.1-esv r11_b1', 'ISC DHCP 4.1-esv r11_rc1', 'ISC DHCP 4.1-esv r11_rc2', 'ISC DHCP 4.1-esv r11b1', 'ISC DHCP 4.1-esv r11rc1', 'ISC DHCP 4.1-esv r11rc', 'ISC DHCP 4.1-esv r12', 'ISC DHCP 4.1-esv r12-p1', 'ISC DHCP 4.1-esv r12_b1', 'ISC DHCP 4.1-esv r12_p1', 'ISC DHCP 4.1-esv r12b1', 'ISC DHCP 4.1-esv r13', 'ISC DHCP 4.1-esv r13_b1', 'ISC DHCP 4.1-esv r13b1', 'ISC DHCP 4.1-esv r14', 'ISC DHCP 4.1-esvr14_b1', 'ISC DHCP 4.1-esv r14b1', 'ISC DHCP 4.1-esv r15', 'ISC DHCP 4.1-esv r15-p1', 'ISC DHCP 4.1-esv r15_b1', 'ISC DHCP 4.1-esv r16', 'ISC DHCP 4.1-esv r16-p1']

Name

['ISC DHCP >=4.4.0，<=4.4.3', 'ISC DHCP 4.1-esv r1', 'ISC DHCP 4.1-esv r10', 'ISC DHCP 4.1-esv r10_b1', 'ISC DHCP 4.1-esv r10_rc1', 'ISC DHCP 4.1-esv r10b1', 'ISC DHCP 4.1-esv r10rc1', 'ISC DHCP 4.1-esv r11', 'ISC DHCP 4.1-esv r11_b1', 'ISC DHCP 4.1-esv r11_rc1', 'ISC DHCP 4.1-esv r11_rc2', 'ISC DHCP 4.1-esv r11b1', 'ISC DHCP 4.1-esv r11rc1', 'ISC DHCP 4.1-esv r11rc', 'ISC DHCP 4.1-esv r12', 'ISC DHCP 4.1-esv r12-p1', 'ISC DHCP 4.1-esv r12_b1', 'ISC DHCP 4.1-esv r12_p1', 'ISC DHCP 4.1-esv r12b1', 'ISC DHCP 4.1-esv r13', 'ISC DHCP 4.1-esv r13_b1', 'ISC DHCP 4.1-esv r13b1', 'ISC DHCP 4.1-esv r14', 'ISC DHCP 4.1-esvr14_b1', 'ISC DHCP 4.1-esv r14b1', 'ISC DHCP 4.1-esv r15', 'ISC DHCP 4.1-esv r15-p1', 'ISC DHCP 4.1-esv r15_b1', 'ISC DHCP 4.1-esv r16', 'ISC DHCP 4.1-esv r16-p1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-2928",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-2928"
    }
  },
  "description": "ISC DHCP\u662f\u7f8e\u56fdISC\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u52a8\u6001\u4e3b\u673a\u914d\u7f6e\u534f\u8bae\u670d\u52a1\u5668\u8f6f\u4ef6\u3002\n\nISC DHCP\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u4eceadd_option()\u8c03\u7528\u51fd\u6570option_code_hash_lookup()\u65f6\uff0c\u5b83\u4f1a\u589e\u52a0\u9009\u9879\u7684refcount\u5b57\u6bb5\uff0c\u4f46\u662f\u672a\u5bf9option_dereference()\u7684\u76f8\u5e94\u8c03\u7528\u6765\u51cf\u5c11refcount\u5b57\u6bb5\uff0c\u51fd\u6570add_option()\u4ec5\u7528\u4e8e\u670d\u52a1\u5668\u5bf9\u79df\u7ea6\u67e5\u8be2\u6570\u636e\u5305\u7684\u54cd\u5e94\uff0c\u6bcf\u4e2a\u79df\u7ea6\u67e5\u8be2\u54cd\u5e94\u90fd\u4f1a\u4e3a\u591a\u4e2a\u9009\u9879\u8c03\u7528\u6b64\u51fd\u6570\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u89e6\u53d1\u5f15\u7528\u8ba1\u6570\u5668\u6ea2\u51fa\uff0c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/isc-projects/dhcp/releases/tag/v4_4_2b1_f2",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-87943",
  "openTime": "2022-12-14",
  "patchDescription": "ISC DHCP\u662f\u7f8e\u56fdISC\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u52a8\u6001\u4e3b\u673a\u914d\u7f6e\u534f\u8bae\u670d\u52a1\u5668\u8f6f\u4ef6\u3002\r\n\r\nISC DHCP\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u4eceadd_option()\u8c03\u7528\u51fd\u6570option_code_hash_lookup()\u65f6\uff0c\u5b83\u4f1a\u589e\u52a0\u9009\u9879\u7684refcount\u5b57\u6bb5\uff0c\u4f46\u662f\u672a\u5bf9option_dereference()\u7684\u76f8\u5e94\u8c03\u7528\u6765\u51cf\u5c11refcount\u5b57\u6bb5\uff0c\u51fd\u6570add_option()\u4ec5\u7528\u4e8e\u670d\u52a1\u5668\u5bf9\u79df\u7ea6\u67e5\u8be2\u6570\u636e\u5305\u7684\u54cd\u5e94\uff0c\u6bcf\u4e2a\u79df\u7ea6\u67e5\u8be2\u54cd\u5e94\u90fd\u4f1a\u4e3a\u591a\u4e2a\u9009\u9879\u8c03\u7528\u6b64\u51fd\u6570\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u89e6\u53d1\u5f15\u7528\u8ba1\u6570\u5668\u6ea2\u51fa\uff0c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ISC DHCP\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "ISC DHCP \u003e=4.4.0\uff0c\u003c=4.4.3",
      "ISC DHCP 4.1-esv r1",
      "ISC DHCP 4.1-esv r10",
      "ISC DHCP 4.1-esv r10_b1",
      "ISC DHCP 4.1-esv r10_rc1",
      "ISC DHCP 4.1-esv r10b1",
      "ISC DHCP 4.1-esv r10rc1",
      "ISC DHCP 4.1-esv r11",
      "ISC DHCP 4.1-esv r11_b1",
      "ISC DHCP 4.1-esv r11_rc1",
      "ISC DHCP 4.1-esv r11_rc2",
      "ISC DHCP 4.1-esv r11b1",
      "ISC DHCP 4.1-esv r11rc1",
      "ISC DHCP 4.1-esv r11rc",
      "ISC DHCP 4.1-esv r12",
      "ISC DHCP 4.1-esv r12-p1",
      "ISC DHCP 4.1-esv r12_b1",
      "ISC DHCP 4.1-esv r12_p1",
      "ISC DHCP 4.1-esv r12b1",
      "ISC DHCP 4.1-esv r13",
      "ISC DHCP 4.1-esv r13_b1",
      "ISC DHCP 4.1-esv r13b1",
      "ISC DHCP 4.1-esv r14",
      "ISC DHCP 4.1-esvr14_b1",
      "ISC DHCP 4.1-esv r14b1",
      "ISC DHCP 4.1-esv r15",
      "ISC DHCP 4.1-esv r15-p1",
      "ISC DHCP 4.1-esv r15_b1",
      "ISC DHCP 4.1-esv r16",
      "ISC DHCP 4.1-esv r16-p1"
    ]
  },
  "referenceLink": "https://kb.isc.org/docs/cve-2022-2928",
  "serverity": "\u4e2d",
  "submitTime": "2022-10-11",
  "title": "ISC DHCP\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2022-2928 (GCVE-0-2022-2928)

Vulnerability from cvelistv5

Published

2022-10-07 04:45

Modified

2024-09-17 00:21

Severity ?

6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

A DHCP server configured with allow leasequery;, a remote machine with access to the server can send lease queries for the same lease multiple times, leading to the add_option() function being repeatedly called. This could cause an option's refcount field to overflow and the server to abort. Internally, reference counters are integers and thus overflow at 2^31 references, so even at 1000 lease query responses per second, it would take more than three weeks to crash the server. Affects In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1

Summary

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

References

▼	URL	Tags
	https://kb.isc.org/docs/cve-2022-2928
	https://lists.debian.org/debian-lts-announce/2022/10/msg00015.html	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/	vendor-advisory
	https://security.gentoo.org/glsa/202305-22	vendor-advisory

Impacted products

	Vendor	Product	Version
	ISC	ISC DHCP	Version: 4.4.0 through versions before 4.4.3-P1 Version: 4.1 ESV 4.1-ESV-R1 through versions before 4.1-ESV-R16-P1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:53:00.326Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kb.isc.org/docs/cve-2022-2928"
          },
          {
            "name": "[debian-lts-announce] 20221010 [SECURITY] [DLA 3146-1] isc-dhcp security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00015.html"
          },
          {
            "name": "FEDORA-2022-f5a45757df",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/"
          },
          {
            "name": "FEDORA-2022-9ca9a94e28",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/"
          },
          {
            "name": "FEDORA-2022-c4f274a54f",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/"
          },
          {
            "name": "GLSA-202305-22",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202305-22"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ISC DHCP",
          "vendor": "ISC",
          "versions": [
            {
              "status": "affected",
              "version": "4.4.0 through versions before 4.4.3-P1"
            },
            {
              "status": "affected",
              "version": "4.1 ESV 4.1-ESV-R1 through versions before 4.1-ESV-R16-P1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank VictorV of Cyber Kunlun Lab for discovering and reporting this issue."
        }
      ],
      "datePublic": "2022-10-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In ISC DHCP 4.4.0 -\u003e 4.4.3, ISC DHCP 4.1-ESV-R1 -\u003e 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option\u0027s refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "A DHCP server configured with allow leasequery;, a remote machine with access to the server can send lease queries for the same lease multiple times, leading to the add_option() function being repeatedly called. This could cause an option\u0027s refcount field to overflow and the server to abort. Internally, reference counters are integers and thus overflow at 2^31 references, so even at 1000 lease query responses per second, it would take more than three weeks to crash the server. Affects In ISC DHCP 4.4.0 -\u003e 4.4.3, ISC DHCP 4.1-ESV-R1 -\u003e 4.1-ESV-R16-P1",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-03T00:00:00",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "url": "https://kb.isc.org/docs/cve-2022-2928"
        },
        {
          "name": "[debian-lts-announce] 20221010 [SECURITY] [DLA 3146-1] isc-dhcp security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00015.html"
        },
        {
          "name": "FEDORA-2022-f5a45757df",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/"
        },
        {
          "name": "FEDORA-2022-9ca9a94e28",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/"
        },
        {
          "name": "FEDORA-2022-c4f274a54f",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/"
        },
        {
          "name": "GLSA-202305-22",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202305-22"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of ISC DHCP. These can all be downloaded from https://www.isc.org/downloads.  4.4.3-P1 4.1-ESV-R16-P2"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "An option refcount overflow exists in dhcpd",
      "workarounds": [
        {
          "lang": "en",
          "value": "Disable lease query on the server for DHCPv4 or restart the server periodically."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2022-2928",
    "datePublished": "2022-10-07T04:45:11.751554Z",
    "dateReserved": "2022-08-22T00:00:00",
    "dateUpdated": "2024-09-17T00:21:40.167Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted