CVE-2021-25217 – DHCP(d) remotely exploitable vulnerability

Are you running DHCP on your network? There is a good chance that you are. Make sure you’re protected against the exploit in CVE-2021-25217.

DHCP is a critical network component that had a vulnerability publicly reported on the 26th of May, which offered a possible remote exploit opportunity to malicious actors.

According to the report, the flaw is present in versions 4.1-ESV-R1 up to 4.1-ESV-R16, 4.4.0 up to 4.4.2. Previous, lower versions in the 4.0.x and 4.3.x series are also affected but are out of official vendor support.

TuxCare’s Extended Lifecycle Support Team prepared and started delivering patches for this vulnerability for all Linux distributions covered by the service. Patches were made available the same day that the vulnerability was publicly disclosed.

Both the dhcp server, called dhcpd, and the dhcp client, called dhclient, are vulnerable.

The code used to read and parse stored leases, a term that describes an IP/MAC address pair that has been assigned by dhcp, contains a flaw. This flaw could be exploited to cause several possible effects like Denial-of-Service of the server, lease deletion which could cause an IP to be reassigned and create an address conflict in the network, or even a dhcp client crash.

The different possible results come from the component being attacked (the server or the client), which specific flags were used when compiling the DHCP code (-fstack-protection-strong), and the architecture used (32 bit or 64 bit).

There are some nuances to the possible outcomes, but none of them significantly improves the situation to a point where this flaw could be ignored. It is advisable to patch or upgrade as soon as possible to reduce the risk. More details can be found on the ISC page for the vulnerability here.

No publicly available exploit code is currently known, but a proof-of-concept has been used privately to test and validate the fixes.