ISC DHCP Server Denial of Service

June 18, 2010

The Dynamic Host Configuration Protocol (DHCP) is a computer networking protocol used by hosts (DHCP clients) to retrieve IP address assignments and other configuration information. DHCP uses a client-server architecture and utilizes UDP ports 67 and 68 for communication. The client sends a broadcast request for configuration information. The DHCP server receives the request and responds with configuration information from its configuration database. A typical DHCP transaction looks like:

[ Client ] ----- DISCOVER ----> [ Server ]

[ Client ] <------ OFFER ------ [ Server ]

[ Client ] ----- REQUESST ----> [ Server ]

[ Client ] <------- ACK ------- [ Server ]

All DHCP messages consist of a fixed-length header and some variable-length options. Each individual option record has the following format:

Offset Size Value

====== ==== ====================

0000 1 Option code

0001 1 Option length (len)

0002 len Option data

One of the option records is option 61, the Client Identifier.

A denial of service vulnerability exists in ISC DHCP server, which is the most widely used open source DHCP implementation. Specifically, the vulnerability is due to a design error in the handling of crafted Client Identifier option record. A remote attacker could exploit this vulnerability by sending a crafted DHCP message to the target server. Successful exploitation would terminate the process and cause a denial of service condition.

The CVE identifier for this vulnerability is CVE-2010-2156.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

1079 ISC DHCP Server Client ID DoS

[ Client ]	----- DISCOVER ---->	[ Server ]
[ Client ]	<------ OFFER ------	[ Server ]
[ Client ]	----- REQUESST ---->	[ Server ]
[ Client ]	<------- ACK -------	[ Server ]

Offset	Size	Value
======	====	====================
0000	1	Option code
0001	1	Option length (len)
0002	len	Option data