Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1024208: rfc3442-classless-routes exit hook doesn't handle TIMEOUT
33 views
Skip to first unread message
Dennis Vshivkov
Nov 15, 2022, 10:30:04 PM11/15/22
to
Package: isc-dhcp-client
Version: 4.4.1-2.3+deb11u1
Severity: important
summary: a temporary or permanent lack of DHCP when bringing a network interface up may result in a DoS via a partially-applied network configuration to the interface.
In detail:
- When a DHCP lease relies upon the DHCP Classless Static Route Option 121 (RFC 3442), the dhclient-script sets up no routes at all by itself, relying on the exit hook called rfc3442-classless-routes for the functionality.
- The hook correctly handles the invocations of dhclient-script when the reason is set to either BOUND or REBOOT, properly applying the static routes specified via the DHCP option 121.
- However, when no DHCP servers respond, dhclient may also try a previously recorded lease by calling dhclient-script with the reason set to TIMEOUT, which the hook doesn't handle.
- When such a lease uses the DHCP option 121, the end result is a partially-applied and likely broken interface configuration: no static routes applied, including the default route, if any.
- That appears worse than if the configuration wasn't applied at all if, e.g., DHCP is only temporarily down. With no lease applied at all, dhclient would keep retrying and pick up a lease as soon as it can. The partially-applied lease may persist for much longer, prolonging the likely DoS situation.
The fix is trivial:
--- /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes.distrib 2018-03-03 16:27:05.000000000 +0000
+++ /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes 2022-11-16 01:41:45.000000000 +0000
@@ -10,7 +10,8 @@
if [ "$RUN" = "yes" ]; then
if [ -n "$new_rfc3442_classless_static_routes" ]; then
- if [ "$reason" = "BOUND" ] || [ "$reason" = "REBOOT" ]; then
+ if [ "$reason" = "BOUND" ] || [ "$reason" = "REBOOT" ] ||
+ [ "$reason" = "TIMEOUT" ]; then
set -- $new_rfc3442_classless_static_routes
+++ /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes 2022-11-16 01:41:45.000000000 +0000
@@ -10,7 +10,8 @@
if [ "$RUN" = "yes" ]; then
if [ -n "$new_rfc3442_classless_static_routes" ]; then
- if [ "$reason" = "BOUND" ] || [ "$reason" = "REBOOT" ]; then
+ if [ "$reason" = "BOUND" ] || [ "$reason" = "REBOOT" ] ||
+ [ "$reason" = "TIMEOUT" ]; then
set -- $new_rfc3442_classless_static_routes
Hope this helps,
--
/Dennis Vshivkov
0 new messages