CVE-2015-8605
published 2016-01-14CVE-2015-8605: ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid…
PriorityP340medium6.5CVSS 3.0
AVAACLPRNUINSUCNINAH
EPSS
76.45%
99.5th percentile
ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | isc-dhcp | < isc-dhcp 4.3.3-7 (bookworm) | isc-dhcp 4.3.3-7 (bookworm) |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by a malformed UDP IPv4 packet with an invalid (attacker-controlled) length field sent to a DHCP server, client, or relay. Monitor for DHCP processes (dhcpd, dhclient, dhcrelay) crashing unexpectedly, which may indicate exploitation attempts. ↗
- →The attack vector is network-based (UDP, standard DHCP ports). The exploit is most practical when the DHCP process is a 32-bit binary running on a 64-bit OS, where stack memory can be placed near the end of the 32-bit address space. ASLR may cause only some invocations to be vulnerable. ↗
- ·Red Hat Enterprise Linux 5, 6, and 7 ship only 64-bit DHCP packages; the wraparound condition cannot be triggered on those platforms, so they are assessed as not practically affected. ↗
- ·The attacker-controlled offset is bounded by the maximum UDP packet length (~64 KB / 2^16), meaning exploitation requires the stack buffer to be placed within ~64 KB of the top of the 32-bit address space — a condition influenced by ASLR. ↗
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.7MEDIUMAV:A/AC:M/Au:N/C:N/I:N/A:C
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fpv7-2967-vrc5: ISC DHCP 4
ghsa_unreviewed·2022-05-13
CVE-2015-8605 [MEDIUM] CWE-20 GHSA-fpv7-2967-vrc5: ISC DHCP 4
ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.
OSV
CVE-2015-8605: ISC DHCP 4
osv·2016-01-14·CVSS 6.5
CVE-2015-8605 [MEDIUM] CVE-2015-8605: ISC DHCP 4
ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.
Ubuntu
DHCP vulnerability
vendor_ubuntu·2016-01-13
CVE-2015-8605 DHCP vulnerability
Title: DHCP vulnerability
Summary: DHCP server, client, or relay could be made to crash if they received
specially crafted network traffic.
Sebastian Poehn discovered that the DHCP server, client, and relay
incorrectly handled certain malformed UDP packets. A remote attacker could
use this issue to cause the DHCP server, client, or relay to stop
responding, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
dhcp: UDP payload length not properly checked
vendor_redhat·2016-01-12·CVSS 6.5
CVE-2015-8605 [MEDIUM] CWE-190 dhcp: UDP payload length not properly checked
dhcp: UDP payload length not properly checked
ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.
Statement: This issue is not planned to be addressed in the dhcp packages as shipped with Red Hat Enterprise Linux 5, 6, or 7, as the problem can not be triggered with those packages. For further technical details, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1297314#c5
Package: dhcp (Red Hat Enterprise Linux 5) - Will not fix
Package: dhcp (Red Hat Enterprise Linux 6) - Will not fix
Package: dhcp (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2015-8605: isc-dhcp - ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remo...
vendor_debian·2015·CVSS 6.5
CVE-2015-8605 [MEDIUM] CVE-2015-8605: isc-dhcp - ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remo...
ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.
Scope: local
bookworm: resolved (fixed in 4.3.3-7)
bullseye: resolved (fixed in 4.3.3-7)
sid: resolved (fixed in 4.3.3-7)
trixie: resolved (fixed in 4.3.3-7)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-8605 dhcp: UDP payload length not properly checked [fedora-all]
bugzilla·2016-01-13·CVSS 6.5
CVE-2015-8605 [MEDIUM] CVE-2015-8605 dhcp: UDP payload length not properly checked [fedora-all]
CVE-2015-8605 dhcp: UDP payload length not properly checked [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedor
Bugzilla
CVE-2015-8605 dhcp: UDP payload length not properly checked
bugzilla·2016-01-11·CVSS 6.5
CVE-2015-8605 [MEDIUM] CVE-2015-8605 dhcp: UDP payload length not properly checked
CVE-2015-8605 dhcp: UDP payload length not properly checked
A flaw in DHCP was reported by ISC:
A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.
Nearly all IPv4 DHCP clients and relays, and most IPv4 DHCP servers are potentially affected.
Acknowledgements:
Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Sebastian Poehn of Sophos as the original reporter.
Discussion:
Created attachment 1113518
rt41267-4.1-ESV-R12-P1.patch
---
Created attachment 1113519
rt41267-4.3.3-P1.patch
---
Created attachment 1113520
rt41267-general.patch
---
This problem is in the decode_udp_ip_header() function. The function receives a buffer pointer buf and its length in buflen. It then
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175594.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-January/176031.htmlhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00162.htmlhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00168.htmlhttp://www.debian.org/security/2016/dsa-3442http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlhttp://www.securityfocus.com/bid/80703http://www.securitytracker.com/id/1034657http://www.ubuntu.com/usn/USN-2868-1https://blogs.sophos.com/2016/02/17/utm-up2date-9-354-released/https://blogs.sophos.com/2016/02/29/utm-up2date-9-319-released/https://kb.isc.org/article/AA-01334http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175594.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-January/176031.htmlhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00162.htmlhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00168.htmlhttp://www.debian.org/security/2016/dsa-3442http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlhttp://www.securityfocus.com/bid/80703http://www.securitytracker.com/id/1034657http://www.ubuntu.com/usn/USN-2868-1https://blogs.sophos.com/2016/02/17/utm-up2date-9-354-released/https://blogs.sophos.com/2016/02/29/utm-up2date-9-319-released/https://kb.isc.org/article/AA-01334
2016-01-14
Published