CVE-2016-2774: An attacker who is allowed to connect to DHCP inter-server communications and control channels can exhaust server resources
mcnally at isc.org
Tue Mar 8 00:42:25 UTC 2016
Document Version: 2.0
Posting date: 07 March 2016
Program Impacted: ISC DHCP
4.1.0->4.1-ESV-R12-P1, 4.2.0->4.2.8, 4.3.0->4.3.3-P1. Older
versions may also be affected but are well beyond their end-of-life
(EOL). Releases prior to 4.1.0 have not been tested.
Remotely, if remote network connections to the DHCP server's
control ports (e.g. OMAPI and failover) are permitted.
In many cases, the ISC DHCP server does not effectively limit
the number of simultaneous open TCP connections to the ports the
server uses for inter-process communications and control. Because
of this, a malicious party could interfere with server operation
by opening (and never closing) a large number of TCP connections
to the server.
By exploiting this vulnerability an attacker can interfere with
DHCP server operation. Exact results are difficult to summarize
concisely because the effect of an attack varies depending on
server version, the channel being attacked, and in some operating
systems on environment settings inherited from the launching
shell (e.g. "ulimit" settings on per-process open file descriptors)
but depending on the combination potential undesirable outcomes
include (but are not necessarily limited to):
- The server may deliberately exit after encountering an INSIST
failure (server version dependent).
- The server may become unresponsive and stop answering client requests.
- The server may continue operating but not be able to accept further
connections from OMAPI clients or failover peers.
- If no limits are inherited from the environment, the server may
consume all available sockets, potentially interfering with other
services running on the same machine.
Risk of exploitation is highest on the OMAPI port (if OMAPI is
configured). The failover code will close incoming connections
if they are not received from a peer (making it more difficult
but not impossible to attack a server using failover channels).
OMAPI, however, has no logic in the server limiting addresses
from which it will accept connections. A firewall is recommended
as an industry-standard precaution against accepting connections
from untrusted hosts.
CVSS Score: 5.7
CVSS Vector: (AV:A/AC:M/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
ISC recommends that server operators restrict the hosts allowed
to make connections to DHCP server inter-process communication
channels to trusted hosts, blocking connections to the OMAPI
control port and the failover communications ports from all other
If OMAPI and/or failover are not being actively used, they can
be disabled. The ISC Knowledge Base contains some information
that operators may find relevant:
Additionally, in environments where per-process file descriptor
limits can be inherited from the shell used to launch dhcpd,
using ulimit to set a reasonable limit on simultaneous socket
connections can prevent the INSIST assertion failure outcome but
may still allow interference with legitimate interprocess
No known active exploits, but a public mention of the issue has
occurred on an open mailing list.
Mitigation code which will make this vulnerability harder to
exploit will be added to the upcoming DHCP maintenance releases
(DHCP 4.1-ESV-R13, DHCP 4.3.4, due to be released in March 2016.)
However, the strategies described in the "Workarounds" section
of this document are effective and can prevent exploitation of
the vulnerability. Unless server operators have identified
operational needs unique to their environment which conflict
with this advice, ISC recommends blocking incoming TCP connections
from untrusted hosts as a preferred strategy.
ISC would like to thank Konstantin Orekhov for discovering this
Document Revision History:
1.0 Advance Notification 04 March 2016
2.0 Public Disclosure 07 March 2016
If you'd like more information on ISC Subscription Support and
Advance Security Notifications, please visit http://www.isc.org/support/.
Do you still have questions? Questions regarding this advisory
should go to security-officer at isc.org. To report a new issue,
please encrypt your message using security-officer at isc.org's PGP
key which can be found here:
If you are unable to use encrypted email, you may also report new
issues at: https://www.isc.org/community/report-bug/.
ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on
which versions are actively supported, please see
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can
be found here:
This Knowledge Base article https://kb.isc.org/article/AA-01354 is
the complete and official security advisory document.
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
(c) 2001-2016 Internet Systems Consortium
More information about the dhcp-announce