Security Release: DHCP 4.2.0-P2 is now available

Larissa Shapiro larissas at
Fri Dec 10 21:05:11 UTC 2010

Hash: SHA1

	ISC DHCP 4.2-P2 is now available for download.

This is a SECURITY release of ISC DHCP 4.2, and fixes one security
related bug.  The security advisory is included below.

A list of the changes in this release has been appended to the end
of this message.  For a complete list of changes from any previous
release, please consult the RELNOTES file within the source
distribution, or on our website:

This release, and its OpenPGP-signatures are available now from:

ISC's Release Signing Key can be obtained at:

                       Changes since 4.2.0-P1

! Fix the handling of connection requests on the failover port.
  Previously a connection request from a source that wasn't
  listed as a failover peer would cause the server to become
  non-responsive.  [ISC-Bugs #22679]
  CERT: VU#159528 CVE: CVE-2010-3616

Security Advisory:

DHCP: Server Hangs with TCP to Failover Peer Port

If a server receives a TCP connection on a port that has been configured
for communication with a failover peer, this can cause it to become
non-responsive to all normal DHCP protocol traffic.

CVE: CVE-2010-3616
CERT: VU#159528
Posting date: 10 Dec 2010
Program Impacted: DHCP
Versions affected: 4.2
Severity: High
Exploitable: remotely


If a TCP connection is established to the server on a port which has
been configured for communication with a failover peer, this can cause
it to become non-responsive to all normal DHCP protocol traffic.  The
server will progress to a communications-interrupted state - but in
addition will also cease to provide DHCP services to clients.  The
server must be restarted to resume normal operation.

CVSS: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
(for more on CVSS scores and to calculate your environment's
specific risk, please visit:

Impact and Risk Assessment: This can be used as an attack vector against
servers that are configured for failover partnerships


Users running DHCP servers in failover configurations may be able to
minimise the risk to TCP ports used for peer-peer DHCP server
communication by careful packet filtering on the hosts and network
gateways that limits access to traffic between the configured failover
peers - but ideally they should upgrade.  (Regardless of which version
of DHCP is deployed, users are advised that it is good security practice
to limit traffic to their omapi and failover ports via packet filters,
firewalls etc.)

Active exploits:

None known at this time.  Issue found by a user and reported via the
dhcp-users community mailing list, therefore consider this vulnerability


Upgrade DHCP to 4.2.0-P2.

Acknowledgment: Brad Bendily, for finding and testing
the problem.

For more information please check the latest advisory update here:
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the dhcp-workers mailing list