ISC DHCP Server Denial of Service

June 18, 2010

The Dynamic Host Configuration Protocol (DHCP) is a computer networking protocol used by hosts (DHCP clients) to retrieve IP address assignments and other configuration information. DHCP uses a client-server architecture and utilizes UDP ports 67 and 68 for communication. The client sends a broadcast request for configuration information. The DHCP server receives the request and responds with configuration information from its configuration database. A typical DHCP transaction looks like:

[ Client ] ----- DISCOVER ----> [ Server ]
[ Client ] <------ OFFER ------ [ Server ]
[ Client ] ----- REQUESST ----> [ Server ]
[ Client ] <------- ACK ------- [ Server ]

All DHCP messages consist of a fixed-length header and some variable-length options. Each individual option record has the following format:

Offset Size Value
====== ==== ====================
0000 1 Option code
0001 1 Option length (len)
0002 len Option data

One of the option records is option 61, the Client Identifier.

A denial of service vulnerability exists in ISC DHCP server, which is the most widely used open source DHCP implementation. Specifically, the vulnerability is due to a design error in the handling of crafted Client Identifier option record. A remote attacker could exploit this vulnerability by sending a crafted DHCP message to the target server. Successful exploitation would terminate the process and cause a denial of service condition.

The CVE identifier for this vulnerability is CVE-2010-2156.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 1079 ISC DHCP Server Client ID DoS