DHCP Transaction ID (xid) is logged with INFO loglevel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
isc-dhcp (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
The patch dhcp-4.
- log_info ("DHCPACK from %s", piaddr (packet -> client_addr));
+ log_info ("DHCPACK from %s (xid=0x%x)", piaddr (packet -> client_addr), client -> xid);
- log_info ("DHCPNAK from %s", piaddr (packet -> client_addr));
+ log_info ("DHCPNAK from %s (xid=0x%x)", piaddr (packet -> client_addr), client -> xid);
- log_info ("DHCPDISCOVER on %s to %s port %d interval %ld",
+ log_info ("DHCPDISCOVER on %s to %s port %d interval %ld (xid=0x%x)",
- log_info ("DHCPREQUEST of %s on %s to %s port %d",
+ log_info ("DHCPREQUEST of %s on %s to %s port %d (xid=0x%x)",
- log_info ("DHCPDECLINE on %s to %s port %d",
+ log_info ("DHCPDECLINE on %s to %s port %d (xid=0x%x)",
- log_info ("DHCPRELEASE on %s to %s port %d",
+ log_info ("DHCPRELEASE on %s to %s port %d (xid=0x%x)",
Under certain circumstances, this can lead to the xid being leaked to remote machines (syslog) or visible to unprivileged users.
Having the xid, it is possible to flood a target machine with DHCPACK replies and spoof a upcoming DHCPREQUEST answer (Proof of concept avail on request).
I would not say this is a direct security issue, but more of a potential information disclosure and could lead to an issue in combination with other factors (e.g. syslog files of a target machine are accessible to an attacker). Still I don't see why this logging of xid is necessary and would recommend to either:
- remove logging of the xid entirely
- only log xid in log level DEBUG
This issue was confirmed to be in place for the the most recent version of isc-dhcp-client shipped with Ubuntu 17.04. (4.3.5-3ubuntu1).
Note: this patch is not included in the Debian package of isc-dhcp-client (https:/
information type: | Private Security → Public Security |
Changed in isc-dhcp (Ubuntu): | |
status: | New → Confirmed |
Hi Sven,
I'm not sure what the next step should be.
This does appear to affect others (the DEP-3 tags in this patch indicates pkgs.fedoraproj ect.org/ cgit/rpms/ dhcp.git/ tree/dhcp- improved- xid.patch )
it came from Fedora
http://
and several of the other patches in 4.2.4-7ubuntu14.1 indicated that
printing xid's exists beyond just this one patch.
xids appear to be generated through random(): sources. debian. net/src/ isc-dhcp/ 4.3.5-3/ client/ dhclient. c/#L1073
http://
If these can be generated with such a poor quality generator are we sources. debian. net/src/ isc-dhcp/ 4.3.5-3/ client/ dhclient. c/#L715
confident this is a security issue? Afterall guessing this seed value
shouldn't be too difficult:
http://
.. and probably being able to find four xids would be enough to crack the
random() generator even without the seed. Probably a few minutes with
ethtool to get new MACs on an interface would be sufficient.
Do you know if there are upstream bugs filed with ISC for these issues?
Thanks