cbcvebase.
CVE-2016-2774
published 2016-03-09

CVE-2016-2774: ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 does not restrict the number of concurrent TCP sessions, which allows remote attackers to…

PriorityP346medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
73.62%
99.4th percentile
ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 does not restrict the number of concurrent TCP sessions, which allows remote attackers to cause a denial of service (INSIST assertion failure or request-processing outage) by establishing many sessions.

Affected

24 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianisc-dhcp< isc-dhcp 4.3.4-1 (bookworm)isc-dhcp 4.3.4-1 (bookworm)
erlangerlang_otp>= 0 < 1:16.b.3-dfsg-1ubuntu2.21:16.b.3-dfsg-1ubuntu2.2
erlangerlang_otp>= 0 < 1:18.3-dfsg-1ubuntu3.11:18.3-dfsg-1ubuntu3.1
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp

Detection & IOCsextracted from sources · hover to see the quote

port7911
port647
  • Check dhcpd configuration files for 'failover' or 'omapi-port' directives to identify potentially vulnerable/exposed deployments.
  • Use netstat to check if dhcpd has any open TCP sockets on OMAPI (default 7911) or failover (default 647) ports, indicating exposure to this DoS vector.
  • Monitor for a large number of concurrent TCP connections to OMAPI port (7911) or failover port (647) from untrusted or unexpected source IPs — the attack involves opening many connections and never closing them.
  • OMAPI port has no source-IP restriction in dhcpd; the failover port drops connections from non-peer IPs, making OMAPI the higher-risk attack surface.
  • Look for dhcpd INSIST assertion failure messages in logs, which can indicate this DoS condition has been triggered.
  • ·Vulnerability only affects dhcpd deployments that have OMAPI or DHCP failover configured; default configurations without these directives are not affected.
  • ·When dhcpd configuration is stored in LDAP, searching only dhcpd.conf for 'failover' and 'omapi-port' directives is insufficient to determine exposure.
  • ·Upstream patched versions cap concurrent connections at 200 by default (MAX_FD_VALUE in includes/site.h); a value of 0 means unlimited and restores vulnerable behavior.
  • ·Red Hat Enterprise Linux 5 and 6 dhcp packages are marked 'Will not fix' for this CVE.

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:N/I:N/A:C
osv7.5HIGH
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
vendor_ubuntu5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.