CVE-2022-2928 : Security Advisory and Response

A vulnerability in ISC DHCP servers could potentially result in a server crash due to an option refcount overflow issue. This article provides insights into the impact of CVE-2022-2928, technical details, and mitigation strategies.

Understanding CVE-2022-2928

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, an option refcount overflow vulnerability exists, posing a risk of server crashes.

What is CVE-2022-2928?

The vulnerability arises when the function option_code_hash_lookup() increases an option's refcount without decrementing it, leading to a potential overflow of reference counters and subsequent server aborts.

The Impact of CVE-2022-2928

The vulnerability affects ISC DHCP versions 4.4.0 through versions before 4.4.3-P1 and versions 4.1 ESV 4.1-ESV-R1 through versions before 4.1-ESV-R16-P1, potentially resulting in server crashes.

Technical Details of CVE-2022-2928

Vulnerability Description

The issue stems from the add_option() function in server responses to lease query packets, where the refcount field of options may overflow due to the absence of corresponding decrements.

Affected Systems and Versions

Vendor: ISC
Product: ISC DHCP
Affected Versions: 4.4.0 through versions before 4.4.3-P1, 4.1 ESV 4.1-ESV-R1 through versions before 4.1-ESV-R16-P1

Exploitation Mechanism

The issue can be exploited by sending lease queries for the same lease multiple times to trigger the add_option() function, leading to refcount overflows.

Mitigation and Prevention

Immediate Steps to Take

To mitigate the vulnerability, consider disabling lease query on the server for DHCPv4 or restarting the server periodically.

Long-Term Security Practices

Upgrade to the patched release closely related to your current ISC DHCP version to prevent potential server crashes. Available patched releases can be downloaded from the ISC website.

Patching and Updates

Upgrade to the following patched releases: 4.4.3-P1, 4.1-ESV-R16-P2