ISC Security Advisory: CVE-2013-2494: A Vulnerability in libdns Could Cause Excessive Memory Use in ISC DHCP 4.2

Eddy Winstead ewinstead at
Tue Mar 26 16:13:58 UTC 2013


   This email advisory is provided for your information. The most
   up to date advisory information will always be at: please use this URL for the
   most up to date advisory information.


A memory exhaustion bug has been discovered in libdns, which is

used by ISC DHCP 4.2.  Theoretically this could be exploited to

cause memory exhaustion in ISC DHCP 4.2.

CVE:                   CVE-2013-2494

Document Version:      2.0

Posting date:          26 March 2013

Program Impacted:      ISC DHCP

Versions affected:     4.2.0 -> 4.2.5.  ISC DHCP versions prior to 4.2.0

                        (including 4.1-ESV) are not affected.

Severity:              Low

Exploitable:           From adjacent networks


    Exploitation of a memory exhaustion bug in libdns is theoretically

    possible in ISC DHCP 4.2, which uses the library from BIND 9 for

    Dynamic DNS.

    Unlike vulnerabilities which can be exercised by a machine

    impersonating a malicious client, exploitation of this vulnerability

    is complex and requires either controlling a nameserver with

    whom the DHCP server process is communicating or successfully

    spoofing traffic to appear as such. These preconditions result

    in a CVSS severity of "Low", but operators using vulnerable

    versions of DHCP 4.2 are nevertheless recommended to upgrade to

    DHCP 4.2.5-P1, which prevents exploitation of the libdns library



    Servers which are targeted by a successful attack will exhaust

    all memory available to the server process, which is likely to

    crash the DHCP server and may affect other processes running on

    the same physical machine when system memory is exhausted.

CVSS Score:  4.9

CVSS Equation:  (AV:N/AC:H/Au:S/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and

to obtain your specific environmental score please visit: 



Active exploits:

    No known active exploits.


    Upgrade to DHCP 4.2.5-P1

Document Revision History:

    1.0 Phase One - Advance Notification, 18 March 2013

    1.2 Phase Two & Three Notification, 25 March 2013

    2.0 Public notification, 26 March 2013

Related Documents:

    If you'd like more information on our Forum or product support


    Do you still have questions?  Questions regarding this advisory

    should go tosecurity-officer at


   ISC patches only currently supported versions. When possible we

   indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy: Details of our current

security advisory policy and practice can be found here:

This Knowledge Base article  is

the complete and official security advisory document.

Legal Disclaimer:

    Internet Systems Consortium (ISC) is providing this notice on

    an "AS IS" basis. No warranty or guarantee of any kind is expressed

    in this notice and none should be implied. ISC expressly excludes

    and disclaims any warranties regarding this notice or materials

    referred to in this notice, including, without limitation, any

    implied warranty of merchantability, fitness for a particular

    purpose, absence of hidden defects, or of non-infringement. Your

    use or reliance on this notice or materials referred to in this

    notice is at your own risk. ISC may change this notice at any

    time.  A stand-alone copy or paraphrase of the text of this

    document that omits the document URL is an uncontrolled copy.

    Uncontrolled copies may lack important information, be out of

    date, or contain factual errors.

(c) 2001-2013 Internet Systems Consortium

More information about the dhcp-users mailing list