The Internet Systems Consortium (ISC) this week announced that it plans to patch versions of its Dynamic Host Configuration Protocol (DHCP) to mitigate a vulnerability that could’ve let a remote attacker cause a denial of service condition.
The group acknowledged on Monday that it plans to release DHCP 4.1-ESV-R13 and DHCP 4.3.4, at some point this month. Both versions will include code that should make the vulnerability harder to exploit.
The United States Computer Emergency Readiness Team (US-CERT) warned users of the vulnerability on Monday, while the ISC broke the issue, CVE-2016-2774, down in further detail.
Essentially, because the ISC DHCP server doesn’t limit the number of open connections, an attacker could open and never close a collection of TCP connections. The group claims it’s tricky to pinpoint exactly what will happen if an attacker interfered with a DHCP server like that – it really depends on a handful of variables – but the most likely outcome is unresponsiveness and exhaustion of server resources.
ISC DHCP can be crashed if remote mgmt ports are exposed. https://t.co/0HWfLlqoPF remedy with config change. ^vr
— ISC (@ISCdotORG) March 8, 2016
The server could deliberately exit, stop answering client requests, stop accepting OMAPI clients, or “consume all available sockets,” and thwart any other services from running concurrently, according to Michael McNally, a Support Engineer at ISC.
It’s the second month this year that the ISC has patched DHCP to address a denial of service vulnerability. January’s issue, which could’ve been caused by a badly formed packet, plagued practically all IPv4 DHCP clients and relays and most servers.
As of Tuesday, the Downloads section of ISC’s site still shows last month’s updates, but both the ISC and US-CERT insist that updated versions of the client/server protocol will be available soon.
There are alternatives for server operators looking to solve the issue immediately.
The ISC claims users can simply restrict servers so only trusted hosts are allowed to make connections to DHCP communication channels. They can also block connections to the OMAPI control port and the failover communication ports from other hosts.
Users can also just outright disable the OMAPI control port if they’re not actively using them, the ISC claims, adding that’s where the highest instance of risk is.