Do Not Enable the DHCP Service

The Dynamic Host Configuration Protocol DHCP service provides dynamic allocation of IP addresses to machines. Unless a system is the designated DHCP server, you are advised to disable its DHCP service to reduce the attack surface. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions...

CISA: 2019 Edition - REAL ID Act of 2005 Implementation: an Interagency Security Committee Guide

System About Files News Vote Help | Services API Advertise Contact | Account Join Login ---|---|---...

CISA: November 2014/1st Edition - Best Practices for Working with Lessors: an Interagency Security Committee Guide

System About Files News Vote Help | Services API Advertise Contact | Account Join Login ---|---|---...

CISA: 2020 Edition - Facility Access Control: an Interagency Security Committee Best Practice

System About Files News Vote Help | Services API Advertise Contact | Account Join Login ---|---|---...

CISA: Occupant Emergency Programs: an Interagency Security Committee Guide – 2024 Edition

System About Files News Vote Help | Services API Advertise Contact | Account Join Login ---|---|---...

CISA: February 2015/1st Edition - Facility Security Plan: an Interagency Security Committee Guide

System About Files News Vote Help | Services API Advertise Contact | Account Join Login ---|---|---...

GHSA-VJG6-93FV-QV64 Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only

Vulnerability type Logging Detail etcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be...

Etcd pkg Insecure ciphers are allowed by default

Vulnerability type Cryptography Detail The TLS ciphers list supported by etcd contains insecure cipher suites. Users can configure the desired ciphers using the “--cipher-suites” flag, and a default list of secure cipher suites is used if empty. Workarounds By default, no action is required. If...

GHSA-5X4G-Q5RC-36JP Etcd pkg Insecure ciphers are allowed by default

Vulnerability type Cryptography Detail The TLS ciphers list supported by etcd contains insecure cipher suites. Users can configure the desired ciphers using the “--cipher-suites” flag, and a default list of secure cipher suites is used if empty. Workarounds By default, no action is required. If...

Duplicate

This advisory duplicates another...

Etcd Gateway TLS endpoint validation only confirms TCP reachability

Vulnerability type Cryptography Workarounds Refer to the gateway documentation. The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. Detail Secure endpoint validation is performed by the etcd gateway start command when the --discovery-srv fla...

Etcd embed auto compaction retention negative value causing a compaction loop or a crash

Impact Data Validation Detail The parseCompactionRetention function in embed/etcd.go allows the retention variable value to be negative and causes the node to execute the history compaction in a loop, taking more CPU than usual and spamming logs. References Find out more on this vulnerability in...

GHSA-2XHQ-GV6C-P224 Etcd Gateway can include itself as an endpoint resulting in resource exhaustion

Vulnerability type Denial of Service Detail The etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesti...

Improper Preservation of Permissions in etcd

Vulnerability type Access Controls Detail etcd creates certain directory paths etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients with restricted access permissions 700 by using the os.MkdirAll. This functio...

GHSA-P4G4-WGRH-QRG2 Panic due to malformed WALs in go.etcd.io/etcd

Vulnerability type Data Validation Detail The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant tryi...

etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic

Vulnerability type Data Validation Detail In the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime...

GHSA-M332-53R6-2W93 etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic

Vulnerability type Data Validation Detail In the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime...