CVE-2022-2928

An option refcount overflow exists in dhcpd

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

En ISC DHCP versiones 4.4.0 anteriores a 4.4.3, ISC DHCP versiones 4.1-ESV-R1 anteriores a 4.1-ESV-R16-P1, cuando la función option_code_hash_lookup() es llamada desde add_option(), incrementa el campo refcount de la opción. Sin embargo, no se presenta una llamada correspondiente a option_dereference() para disminuir el campo refcount. La función add_option() sólo es usada en las respuestas del servidor a paquetes de consulta de arrendamiento. Cada respuesta de consulta de arrendamiento llama a esta función para varias opciones, por lo que eventualmente, los contadores de referencia podrían desbordarse y causar a el servidor abortar

An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to lease query packets. Each lease query response calls this function for several options. Hence, a DHCP server configured with "allow lease query," a remote machine with access to the server, can send lease queries for the same lease multiple times, leading to the "add_option()" function being called repeatedly. This issue could cause the reference counters to overflow and the server to abort or crash.

*Credits: ISC would like to thank VictorV of Cyber Kunlun Lab for discovering and reporting this issue.

CVSS Scores

Internet Systems Consortium (ISC)v3.1 6.5

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-08-22 CVE Reserved
2022-10-06 CVE Published
2024-05-14 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-190: Integer Overflow or Wraparound
CWE-476: NULL Pointer Dereference

CAPEC

References (8)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/10/msg00015.html	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://kb.isc.org/docs/cve-2022-2928	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX	2023-11-07
https://security.gentoo.org/glsa/202305-22	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-2928	2023-05-16
https://bugzilla.redhat.com/show_bug.cgi?id=2132002	2023-05-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				>= 4.4.0 <= 4.4.3 Search vendor "Isc" for product "Dhcp" and version " >= 4.4.0 <= 4.4.3"		-		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r10		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r10_b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r10_rc1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r10b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r10rc1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r11		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r11_b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r11_rc1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r11_rc2		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r11b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r11rc1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r11rc2		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r12		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r12-p1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r12_b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r12_p1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r12b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r13		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r13_b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r13b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r14		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r14_b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r14b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r15		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r15-p1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r15_b1		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r16		Affected
Isc Search vendor "Isc"		Dhcp Search vendor "Isc" for product "Dhcp"				4.1-esv Search vendor "Isc" for product "Dhcp" and version "4.1-esv"		r16-p1		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected