Cisco DHCP relay vulnerability - Crit.

icecream-guy · February 14, 2018, 05:54:28 AM

Summary

The DHCP relay subsystem of Cisco IOS and Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in a denial of service (DoS) condition.

The vulnerability is due to a buffer overflow condition in the DHCP relay subsystem of the affected software. An attacker could exploit this vulnerability by sending a crafted DHCP Version 4 (DHCPv4) packet to an affected system. A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a DoS condition.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-dhcp

Assessing the DHCP Relay Configuration

To determine whether a device is configured as a DHCP relay agent, administrators can log in to the device and use the show running-config | include ip helper-address command in the CLI.

The following example shows the output of the command for a device that is running Cisco IOS Software and is configured as a DHCP relay agent that forwards DHCP packets to the DHCP server address 10.10.10.1:

Router# show running-config | include ip helper-address

ip helper-address 10.10.10.1
Router#

If a device is not configured as a DHCP relay agent, the show running-config | include ip helper-address command will not return any output.

deanwebb · February 14, 2018, 09:07:35 AM

NAC systems need that DHCP relay info to work. Thanks for the post, Ristau!

Thank goodness there's a fix for it... of course, customers will have to test it and then schedule its application...

wintermute000 · February 15, 2018, 06:27:33 AM

I think that 98% (conservatively estimated) of campus switches I've ever seen has this thing turned on for obvious reasons.... dis gonna be gud

poor operations guys

though seriously: crafted DHCP packet = root?!?!?! WTF dude

In this day and age, the old 'buffer overflow' might as well be the same as 'flux capacitor' LOL. Vulnerability? buffer overflow, natch.

deanwebb · February 15, 2018, 06:46:09 AM

Quote from: wintermute000 on February 15, 2018, 06:27:33 AM
I think that 98% (conservatively estimated) of campus switches I've ever seen has this thing turned on for obvious reasons.... dis gonna be gud

poor operations guys

though seriously: crafted DHCP packet = root?!?!?! WTF dude

In this day and age, the old 'buffer overflow' might as well be the same as 'flux capacitor' LOL. Vulnerability? buffer overflow, natch.

Indeed... basically, Cisco tells customers not to use their DHCP in production so, naturally, the gear has to have DHCP relays configured, every distro/core switch, every VLAN.

Managers might panic and ask "Can we turn this off globally until we patch the switches?"

And engineers will reply...

And say: "Only if you don't want anyone to be able to get on to the network... or if you have a plan to roll out IPX/SPX globally in the next 24 hours and, no, I'm not being sarcastic."

Nerm · February 15, 2018, 08:45:59 PM

Cisco DHCP relay vulnerability - Crit.

icecream-guy

deanwebb

wintermute000

deanwebb

Nerm