Lucene search

K
redhatcveRedhat.comRH:CVE-2022-2928
HistoryOct 05, 2022 - 2:57 p.m.

CVE-2022-2928

2022-10-0514:57:20
redhat.com
access.redhat.com
110
dhcp server
integer overflow
add_option()" function
option_code_hash_lookup()
refcount" field
lease query
server crash
mitigation.

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.6%

An integer overflow vulnerability was found in the DHCP server. When the “option_code_hash_lookup()” function is called from “add_option()”, it increases the option’s “refcount” field. However, there is not a corresponding call to “option_dereference()” to decrement the “refcount” field. The “add_option()” function is only used in server responses to lease query packets. Each lease query response calls this function for several options. Hence, a DHCP server configured with “allow lease query,” a remote machine with access to the server, can send lease queries for the same lease multiple times, leading to the “add_option()” function being called repeatedly. This issue could cause the reference counters to overflow and the server to abort or crash.

Mitigation

Possible workaround - Disable lease query on the server for DHCPv4 or restart the server periodically.

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.6%