Vigil@nce - dhcpcd: denial of service via DHO_OPTIONSOVERLOADED
September 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who owns a DHCP server, can use the
DHO_OPTIONSOVERLOADED option twice, in order to trigger a denial
of service in dhcpcd.
– Impacted products: MBS, Unix (platform)
– Severity: 1/4
– Creation date: 02/09/2014
DESCRIPTION OF THE VULNERABILITY
The dhcpcd product implements a DHCP client.
The RFC 2132 defines the option "Option Overload"
(DHO_OPTIONSOVERLOADED) which allows the usage of the DHCP "sname"
and "file" fields to store options. However, the
DHO_OPTIONSOVERLOADED option can be used again in the "sname" and
"file" fields, which triggers an infinite loop.
An attacker, who owns a DHCP server, can therefore use the
DHO_OPTIONSOVERLOADED option twice, in order to trigger a denial
of service in dhcpcd.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/dhcpcd-denial-of-service-via-DHO-OPTIONSOVERLOADED-15254