Package: isc-dhcp-client
Version: 4.4.1-2.3+deb11u1
Severity: important
Hello,
summary: a temporary or permanent lack of DHCP when bringing a network
interface up may result in a DoS via a partially-applied network
configuration to the interface.
In detail:
- When a DHCP lease relies upon the DHCP Classless Static Route Option
121 (RFC 3442), the dhclient-script sets up no routes at all by itself,
relying on the exit hook called rfc3442-classless-routes for the
functionality.
- The hook correctly handles the invocations of dhclient-script when the
reason is set to either BOUND or REBOOT, properly applying the static
routes specified via the DHCP option 121.
- However, when no DHCP servers respond, dhclient may also try a
previously recorded lease by calling dhclient-script with the reason set to
TIMEOUT, which the hook doesn't handle.
- When such a lease uses the DHCP option 121, the end result is a
partially-applied and likely broken interface configuration: no static
routes applied, including the default route, if any.
- That appears worse than if the configuration wasn't applied at all if,
e.g., DHCP is only temporarily down. With no lease applied at all,
dhclient would keep retrying and pick up a lease as soon as it can. The
partially-applied lease may persist for much longer, prolonging the likely
DoS situation.
The fix is trivial:
--- /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes.distrib
2018-03-03 16:27:05.000000000 +0000
+++ /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes 2022-11-16
01:41:45.000000000 +0000
@@ -10,7 +10,8 @@
if [ "$RUN" = "yes" ]; then
if [ -n "$new_rfc3442_classless_static_routes" ]; then
- if [ "$reason" = "BOUND" ] || [ "$reason" = "REBOOT" ]; then
+ if [ "$reason" = "BOUND" ] || [ "$reason" = "REBOOT" ] ||
+ [ "$reason" = "TIMEOUT" ]; then
set -- $new_rfc3442_classless_static_routes
Hope this helps,
--
/Dennis Vshivkov
