CVE-2022-2929

Summary

In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.

Affected Software

VendorProductVersion RangeStatus
ISCISC DHCP1.0 through versions before 4.1-ESV-R16-P2affected
ISCISC DHCP4.2 through versions before 4.4.3.-P1affected

Weaknesses

  • The function fqdn_universe_decode() allocates buffer space for the contents of option 81 (fqdn) data received in a DHCP packet. The maximum length of a DNS label is 63 bytes. The function tests the length byte of each label contained in the fqdn; if it finds a label whose length byte value is larger than 63, it returns without dereferencing the buffer space. This will cause a memory leak. Affects In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1

Workarounds

As exploiting this vulnerability requires an attacker to send packets for an extended period of time, restarting servers periodically could be a viable workaround.

ADP Enrichment

CVE Program Container

Additional References

References