aosc-os-abbs icon indicating copy to clipboard operation
aosc-os-abbs copied to clipboard

Published 20 hours ago verified publisher icon AOSC-Dev

dhcp: Several Vulnerablities (CVE-2022-2928 CVE-2022-2929)

Open CamberLoid opened this issue 2 years ago • 1 comments

CVE IDs

CVE-2022-2928, CVE-2022-2929

Other security advisory IDs

  • Upstream:
    • https://kb.isc.org/docs/cve-2022-2928
    • https://kb.isc.org/docs/cve-2022-2929
  • Debian: https://security-tracker.debian.org/tracker/DSA-5251-1
  • Ubuntu: https://ubuntu.com/security/notices/USN-5658-1

Description

  • CVE-2022-2928: It was discovered that (isc-)dhcp at version before 4.4.3-P1 incorrectly handles option reference counting, resulting a possible denial of service when being attacked using the issue.
  • CVE-2022-2929: It was discovered that (isc-)dhcp at version before 4.4.3-P1 incorrectly certain memory operation, which may cause a memory leak and leading to a denial of device by exhausting the resources when being attacked.

Current version of package dhcp in repository is vulnerable to the aforementioned problems, and an upgrade will fix this issue.

Patches

4.4.3-P1

PoC(s)

N/A

CamberLoid avatar Oct 09 '22 15:10 CamberLoid

Update: ISC DHCP server/client has reached its EOL. https://www.isc.org/blogs/isc-dhcp-eol/

CamberLoid avatar Oct 12 '22 02:10 CamberLoid

Fixed via #4290.

CamberLoid avatar Nov 29 '22 09:11 CamberLoid