Infoblox NIOS Product is vulnerable to CVE-2022-2928 and CVE-2022-2929

Oct 5, 2022•Knowledge

Summary
CVE-2022-2928 - Results from a failure to re-initialize a field when replying to a DHCPv4 lease query.

CVE-2022-2929 - Failure to free memory allocated when processing DHCPv4 option 81 FQDN values.

Overview
On October 5th, 2022 ISC announced two new vulnerabilities, CVE-2022-2928 and CVE-2022-2929.

Program Impacted: ISC DHCP
CVSS Score: 6.5
CVSS Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions

NIOS is vulnerable to CVE-2022-2928 and CVE-2022-2929.
BloxOne and NetMRI are not vulnerable to these issues.

Impact

CVE-2022-2928 - This issue results in a counter overflow that can trigger an unsolicited DHCP service restart.

With a DHCP server configured with "allow leasequery;", a remote machine with access to the server can send lease queries for the same lease multiple times, leading to the "add_option()" function being repeatedly called. This could cause an option's "refcount" field to overflow and the server to abort. Internally, reference counters are integers and thus overflow at 2^31 references; so even at 1000 lease query responses per second, it would take more than three weeks to crash the server.

CVE-2022-2929 - This issue results in a memory leak that can trigger an unsolicited DHCP service restart.

A system with access to a DHCP server, sending DHCP packets crafted to include "fqdn" labels longer than 63 bytes, could eventually cause the server to run out of memory.

Workaround
Both issues can be mitigated by periodically restarting the DHCP service. It is unlikely that a DHCP server restarted weekly would be affected by either of these vulnerabilities.

CVE-2022-2928 can also be avoided by disabling the LEASEQUERY feature on members running DHCP.

Resolution

Infoblox suggests one of the following options to resolve these issues:

Apply NIOS a version-specific Hotfix to your grid (8.2.6 CC, 8.5.2, 8.5.2 CC, 8.5.3, 8.5.4, 8.5.5, 8.6.1, 8.6.2). All related files are attached to this case. However, we recommend only downloading the Hotfix Release Form, Hotfix, and Revert Hotfix specific to your NIOS version.
These CVEs will be patched in future NIOS release 8.6.3 (currently targeted for early 2023).

Additional Notes

This issue is only applicable to DHCPv4.
The respective Hotfixes also work for Grids with CC or FIPS modes enabled. For example, the 8.5.2 Hotfix will work with CC mode enabled, FIPS mode enabled, or neither of these modes enabled.
The Hotfix files in this KB resolve the CVEs in this article.
The fix for CVE-2022-2928 is to dereference the impacted option count field to prevent this type of overflow.
The fix for CVE-2022-2929 is to deallocate the impacted buffer on return.
The show upgrade_history CLI command can be run to determine which Hotfixes have already been applied to that member. If a related Hotfix is already applied to your grid (i.e. for the same NIOS version and feature), please consult with Infoblox Support before installing the new Hotfix.

NIOS Version-Specific Hotfix Files (attached to this KB)

8.2.6 CC/FIPS

File	File Name
Hotfix Release Form	8.2.6_Hotfix_Release_Form_NIOS-87466.pdf
Hotfix	Hotfix-8-2-6-NIOS-87466-APPLY-926b5d1ab7d5f0d0ebcb03b076779917-Fri-Sep-23-16-42-09-2022.bin2
Hotfix Revert	Hotfix-8-2-6-NIOS-87466-REVERT-dd1314100b2a9863d1e3be834c4c71bb-Thu-Sep-22-20-21-13-2022.bin2

8.5.2

File	File Name
Hotfix Release Form	8.5.2_Hotfix_Release_Form_NIOS-87458.pdf
Hotfix	Hotfix-8-5-2-NIOS-87458-APPLY-00794fea95a993bf7a6394d5afacdea1-Thu-Sep-22-01-40-29-2022.bin2
Hotfix Revert	Hotfix-8-5-2-NIOS-87458-REVERT-e08241ca1ff7b2218f987afbb801d981-Thu-Sep-22-01-43-25-2022.bin2

8.5.3

File	File Name
Hotfix Release Form	8.5.3_Hotfix_Release_Form_NIOS-87460.pdf
Hotfix	Hotfix-8-5-3-NIOS-87460-APPLY-30f663834fbb8a098d6093833ca90811-Thu-Sep-22-01-45-10-2022.bin2
Hotfix Revert	Hotfix-8-5-3-NIOS-87460-REVERT-aeb7c862dc87825b0ddece6e60ee1c11-Thu-Sep-22-01-46-39-2022.bin2

8.5.4

File	File Name
Hotfix Release Form	8.5.4_Hotfix_Release_Form_NIOS-87461.pdf
Hotfix	Hotfix-NIOS-8.5.4-419474-J87461-APPLY-10c3f9e2cebceeee61dc5121262168c7-Thu-Sep-22-00-47-57-2022.bin2
Hotfix Revert	Hotfix-NIOS-8.5.4-419474-J87461-REVERT-0739310ea4e7e37410ece9a89f17d86e-Thu-Sep-22-00-33-52-2022.bin2

8.5.5

File	File Name
Hotfix Release Form	8.5.5_Hotfix_Release_Form_NIOS-87462.pdf
Hotfix	Hotfix-NIOS-8.5.5-50687-677a2087c8f6-J87462-APPLY-6a701a84755db51333a9329a497d313a-Thu-Sep-22-01-44-38-2022.bin2
Hotfix Revert	Hotfix-NIOS-8.5.5-50687-677a2087c8f6-J87462-REVERT-956d9ccc3e56a3576b505a30df293511-Thu-Sep-22-01-48-01-2022.bin2

8.6.1

File	File Name
Hotfix Release Form	8.6.1_Hotfix_Release_Form_NIOS-87463.pdf
Hotfix	Hotfix-8-6-1-NIOS-87463-APPLY-b18014690ccde0387abfcd8f43cc58c3-Thu-Sep-22-02-16-21-2022.bin2
Hotfix Revert	Hotfix-8-6-1-NIOS-87463-REVERT-1558fd3136e833afbeba73f2c08c1ccd-Thu-Sep-22-02-15-42-2022.bin2

8.6.2

File	File Name
Hotfix Release Form	8.6.2_Hotfix_Release_Form_NIOS-87464.pdf
Hotfix	Hotfix-8-6-2-NIOS-87464-APPLY-7fb1394b0360bbae6f4d14f5a2ca030e-Thu-Sep-22-02-15-47-2022.bin2
Hotfix Revert	Hotfix-8-6-2-NIOS-87464-REVERT-5920f25f79da3d960d3102371a5a0a56-Thu-Sep-22-02-16-12-2022.bin2