RHEL 6 / 7 : ISC DHCP Concurrent TCP Sessions DoS

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90250);
  script_version("1.5");
  script_cvs_date("Date: 2018/07/27 18:38:15");

  script_cve_id("CVE-2016-2774");

  script_name(english:"RHEL 6 / 7 : ISC DHCP Concurrent TCP Sessions DoS");
  script_summary(english:"Checks the running services and the rpm output for the affected package.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"RedHat Enterprise Linux 6 / 7 is affected by a denial of service
vulnerability in the bundled ISC DHCP server due to a failure to
properly restrict the number of concurrent TCP sessions to the ports
the server uses for inter-process communications and control. An
unauthenticated, remote attacker can exploit this, by opening a large
number of TCP sessions, to cause the server to fail to process
requests or to exit unexpectedly, or to cause an exhaustion of system
sockets.

Note that this vulnerability is more easily exploited when the DHCP
server is using OMAPI for remote management.");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-2774");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/article/AA-01354");
  script_set_attribute(attribute:"solution", value:
"Restrict access to the DHCP server to trusted networks and peers only.

Note that RedHat, at this time, has deferred the fix for RedHat
Enterprise Linux 6 / 7 to a later date.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl", "process_on_port.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! ereg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x / 7.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

# Check to see if the service is even running, in general the package could
# be installed for the tools it bundles and not the server specifically.
dhcpdon = FALSE;
tcports = make_list();
daemons = get_kb_list("Host/Daemons/*");
foreach kbitem (keys(daemons))
{
  daemon = daemons[kbitem];
  if (daemon =~ "/dhcpd$")
  {
    dhcpdon = TRUE;
    matches = eregmatch(pattern:"/tcp/(\d+)$", string:kbitem);
    if (!empty_or_null(matches))
      tcports = make_list(matches[1], tcports);
  }
}

if (!dhcpdon)
  audit(AUDIT_HOST_NOT, "running a DHCP server");

if (empty_or_null(tcports))
  audit(AUDIT_HOST_NOT, "running a DHCP server listening on TCP ports");

rpms = get_kb_item("Host/RedHat/rpm-list");

installed = eregmatch(pattern:"(^|\n)(dhcp-\d.*)($|\n)",string:rpms);

if (empty_or_null(installed))
  audit(AUDIT_PACKAGE_NOT_INSTALLED, "dhcp");

installed = installed[2];

# Package at or below the "latest" are affected.
flag = 0;
if (rpm_check(release:"RHEL6", cpu:"i686",   reference:"dhcp-4.1.1-49.P1.el6")) flag++;
if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"dhcp-4.1.1-49.P1.el6")) flag++;
if (rpm_check(release:"RHEL6", cpu:"i386",   reference:"dhcp-4.1.1-49.P1.el6")) flag++;
if (rpm_exists(rpm:"dhcp-4.1.1-49.P1.el6", release:"RHEL6")) flag++;

if (rpm_check(release:"RHEL7", cpu:"i686",   reference:"dhcp-4.2.5-42.el7")) flag++;
if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"dhcp-4.2.5-42.el7")) flag++;
if (rpm_check(release:"RHEL7", cpu:"i386",   reference:"dhcp-4.2.5-42.el7")) flag++;
if (rpm_exists(rpm:"dhcp-4.2.5-42.el7", release:"RHEL7")) flag++;

if (flag)
{
  report = make_array(
    "Listening on port(s)", join(sep:",", tcports),
    "Remote package installed", installed,
    "Recommended action", "Restrict access to the above port(s)"
  );
  report = report_items_str(report_items:report);
  security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dhcp");
}