Guidance on the 10 Dec 2010 DHCP Security Advisory

10 Dec 2010

CVE: CVE-2010-3616
CERT: VU# 159528
DHCP: Server Hangs with TCP to Failover Peer Port

These are some guidelines for our DHCP community to help you assess your vulnerability to this bug and what you can do to work around it.

  • You are vulnerable to this bug if:
  1. You are running dhcp-4.2.0 or dhcp-4.2.0-P1
  2. You are running failover
  • You may be vulnerable to this bug if:
  1. You are running dhcp-4.2.0 or dhcp-4.2.0-P1 (we don't think other ports are vulnerable to the same bug as the failover port but have not yet done a thorough analysis)
  • You are not vulnerable to this bug if:
  1. You are running a version of DHCP prior to dhcp-4.2.0 (4.1.x, 4.0.x, 3.x)

This bug seems to be OS dependent but we have not sufficiently tested a wide range of OSs/versions to be able to determine which are
vulnerable. And, since we are not positive that only the failover port is vulnerable, disabling failover may not be sufficient protection.

Therefore, our best recommendation is to upgrade if you are running 4.2.0/4.2.0-P1 in production.

Regardless of which version of DHCP you are running, you should also limit traffic to your omapi and failover ports, via packet filters,
firewalls, etc.

Share this