[Bug 1717476] Re: DHCP Transaction ID (xid) is logged with INFO loglevel

Marc Deslauriers marc.deslauriers at canonical.com
Fri Oct 18 12:18:08 UTC 2019 

** Changed in: isc-dhcp (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1717476

Title:
  DHCP Transaction ID (xid) is logged with INFO loglevel

Status in isc-dhcp package in Ubuntu:
  Confirmed

Bug description:
  The patch dhcp-4.2.4-improved-xid.patch
  (https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1401141)
  added logging of the Transaction ID (xid) to dhclient:

  -               log_info ("DHCPACK from %s", piaddr (packet -> client_addr));
  +               log_info ("DHCPACK from %s (xid=0x%x)", piaddr (packet -> client_addr), client -> xid);
  -       log_info ("DHCPNAK from %s", piaddr (packet -> client_addr));
  +       log_info ("DHCPNAK from %s (xid=0x%x)", piaddr (packet -> client_addr), client -> xid);
  -       log_info ("DHCPDISCOVER on %s to %s port %d interval %ld",
  +       log_info ("DHCPDISCOVER on %s to %s port %d interval %ld (xid=0x%x)",
  -       log_info ("DHCPREQUEST of %s on %s to %s port %d", 
  +       log_info ("DHCPREQUEST of %s on %s to %s port %d (xid=0x%x)",
  -       log_info ("DHCPDECLINE on %s to %s port %d",
  +       log_info ("DHCPDECLINE on %s to %s port %d (xid=0x%x)",
  -       log_info ("DHCPRELEASE on %s to %s port %d",
  +       log_info ("DHCPRELEASE on %s to %s port %d (xid=0x%x)",

  Under certain circumstances, this can lead to the xid being leaked to
  remote machines (syslog) or visible to unprivileged users.

  Having the xid, it is possible to flood a target machine with DHCPACK
  replies and spoof a upcoming DHCPREQUEST answer (Proof of concept
  avail on request).

  I would not say this is a direct security issue, but more of a
  potential information disclosure and could lead to an issue in
  combination with other factors (e.g. syslog files of a target machine
  are accessible to an attacker). Still I don't see why this logging of
  xid is necessary and would recommend to either:

  - remove logging of the xid entirely
  - only log xid in log level DEBUG

  This issue was confirmed to be in place for the the most recent
  version of isc-dhcp-client shipped with Ubuntu 17.04.
  (4.3.5-3ubuntu1).

  Note: this patch is not included in the Debian package of isc-dhcp-
  client (https://packages.debian.org/stretch/isc-dhcp-client), therefor
  this issue does only affect Ubuntu.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1717476/+subscriptions

More information about the foundations-bugs mailing list