DHCP: Server Crash with Empty Link-Address Field
Summary:
If the server receives a DHCPv6 packet containing one or more Relay-Forward messages, and none of them supply an address in the Relay-Forward link-address field, then the server will crash. This
can be used as a single packet crash attack vector.
CVE:
CVE-2010-3611
CERT:
VU#102047
Posting date:
02 Nov 2010
Program Impacted:
DHCP
Versions affected:
4.0 through 4.2
Severity:
High
Exploitable:
remotely Description:
If the server receives a DHCPv6 packet containing one or more Relay-Forward messages, and none of them supply an address in the Relay-Forward link-address field, then the server will crash. This can be used as a single packet crash attack vector.
CVSS: 4.2 (for more on CVSS scores and to calculate your environment's specific risk, please visit: CVSS Calculator)
Impact and Risk Assessment: This can be used as a single packet crash attack vector if the server was explicitly configured to serve DHCPv6.
Workarounds:
None.
Active exploits:
None known at this time.
Solution:
Upgrade DHCP to 4.0.2, 4.1.2, or 4.2.0-P1.
Acknowledgment: John Gibbins, for finding issue and testing patch.
Revision History: Added acknowledgment to John Gibbins
Changed date to Nov 2nd
For more information please contact dhcp-bugs@isc.org
