Re: CVE Request -- dhcp: DoS (excessive CPU use) by opening an OMAPI connection

[Jan Lieskovsky <jlieskov () redhat com>]

Jan Lieskovsky wrote:
> Hello Josh, Steve, vendors,
>
>   A security flaw was found in the way DHCP (Dynamic Host Configuration 
> Protocol)
> server processed remote connections when the dhcpd was configured to 
> provide
> Object Management API (OMAPI) capability. A remote attacker could use 
> this flaw
> to cause denial of service (excessive CPU use and dhcpd daemon 
> unreachability).
>
> References:
> [1] https://bugzilla.novell.com/show_bug.cgi?id=680298
> [2] https://lists.isc.org/pipermail/dhcp-users/2011-February/012780.html
> [3] https://lists.isc.org/pipermail/dhcp-users/2011-February/012781.html
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=666441
> [5] http://www.mentby.com/Group/dhcp-users/omapi-not-working-in-420.html
>
> Note: Though looks as minor / low severity issue, under proper 
> configuration
>       looks to be a way, how to get dhcpd completely unresponsive for 
> further
>       requests.
>
> Could you allocate a CVE id for this? (though opened for discussion if this
> being more to be a bug, than a real security issue).

The dhcpd(8) manual page:
[6] http://linux.die.net/man/8/dhcpd

suggests it's possible to "The control object allows you to shut the server down."
[the Control Object section], but it also states:

"OMAPI clients connect to the server using TCP/IP, authenticate, and can then
examine the server's current status and make changes to it."

and

"The DHCP server exports the following objects: lease, host, failover-state and group."

so not sure, if any (unprivileged) OMAPI client could shut down the server.

Hopefully Jiri / someone else more familiar with OMAPI feature could shed more
light into this (if each OMAPI client is able to shut down the dhcpd server => just bug
or just privileged / authenticated one => potential DoS).

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team