DHCP: Server Hangs with TCP to Failover Peer Port

Summary: 
If a server receives a TCP connection on a port that has been configured for communication with a failover peer, this can cause it to become non-responsive to all normal DHCP protocol traffic.
CVE: 
CVE-2010-3616
CERT: 
VU#159528
Posting date: 
10 Dec 2010
Program Impacted: 
DHCP
Versions affected: 
4.2
Severity: 
High
Exploitable: 
remotely
Description: 

If a TCP connection is established to the server on a port which has been configured for communication with a failover peer, this can cause it to become non-responsive to all normal DHCP protocol traffic. The server will progress to a communications-interrupted state - but in addition will also cease to provide DHCP services to clients. The server must be restarted to resume normal operation.

CVSS: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

(for more on CVSS scores and to calculate your environment's specific risk, please visit: http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C))

Impact and Risk Assessment:

This can be used as an attack vector against servers that are configured for failover partnerships

Workarounds: 

Users running DHCP servers in failover configurations may be able to minimise the risk to TCP ports used for peer-peer DHCP server communication by careful packet filtering on the hosts and network gateways that limits access to traffic between the configured failover peers - but ideally they should upgrade. (Regardless of which version of DHCP is deployed, users are advised that it is good security practice to limit traffic to their omapi and failover ports via packet filters, firewalls etc.)

Active exploits: 
None known at this time. Issue found by a user and reported via the dhcp-users community mailing list, therefore consider this vulnerability public.
Solution: 

Upgrade DHCP to 4.2.0-P2.

Acknowledgment: Brad Bendily for finding and testing the problem.

For more information please contact dhcp-bugs@isc.org

Share this