DHCP: Server Hangs with TCP to Failover Peer Port
If a TCP connection is established to the server on a port which has been configured for communication with a failover peer, this can cause it to become non-responsive to all normal DHCP protocol traffic. The server will progress to a communications-interrupted state - but in addition will also cease to provide DHCP services to clients. The server must be restarted to resume normal operation.
CVSS: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
(for more on CVSS scores and to calculate your environment's specific risk, please visit: http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C))
Impact and Risk Assessment:
This can be used as an attack vector against servers that are configured for failover partnerships
Users running DHCP servers in failover configurations may be able to minimise the risk to TCP ports used for peer-peer DHCP server communication by careful packet filtering on the hosts and network gateways that limits access to traffic between the configured failover peers - but ideally they should upgrade. (Regardless of which version of DHCP is deployed, users are advised that it is good security practice to limit traffic to their omapi and failover ports via packet filters, firewalls etc.)
Upgrade DHCP to 4.2.0-P2.
Acknowledgment: Brad Bendily for finding and testing the problem.
For more information please contact firstname.lastname@example.org
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC