Login Sign Up

CVE-2021-25217

7.4 HIGH
Denial of Service

📋 TL;DR

A memory corruption vulnerability in ISC DHCP allows attackers to cause denial of service by crashing dhclient or dhcpd processes when they parse malicious lease files. The vulnerability affects DHCP servers and clients running vulnerable versions, potentially disrupting network connectivity. Impact varies based on architecture (32-bit vs 64-bit) and compiler flags used during build.

💻 Affected Systems

Products:
  • ISC DHCP
Versions: ISC DHCP 4.1-ESV-R1 through 4.1-ESV-R16, ISC DHCP 4.4.0 through 4.4.2 (earlier versions also affected but unsupported)
Operating Systems: All operating systems running affected ISC DHCP versions
Default Config Vulnerable: ⚠️ Yes
Notes: Impact varies: 32-bit builds with -fstack-protection-strong flag may crash; 64-bit builds or builds without the flag may only experience lease deletion without crash.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Dhcp by Isc

View all CVEs affecting Dhcp →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Ontap Select Deploy Administration Utility by Netapp

View all CVEs affecting Ontap Select Deploy Administration Utility →

Ruggedcom Rox Mx5000 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Mx5000 Firmware →

Ruggedcom Rox Rx1400 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Rx1400 Firmware →

Ruggedcom Rox Rx1500 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Rx1500 Firmware →

Ruggedcom Rox Rx1501 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Rx1501 Firmware →

Ruggedcom Rox Rx1510 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Rx1510 Firmware →

Ruggedcom Rox Rx1511 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Rx1511 Firmware →

Ruggedcom Rox Rx1512 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Rx1512 Firmware →

Ruggedcom Rox Rx1524 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Rx1524 Firmware →

Ruggedcom Rox Rx1536 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Rx1536 Firmware →

Ruggedcom Rox Rx5000 Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Rx5000 Firmware →

Sinec Ins by Siemens

View all CVEs affecting Sinec Ins →

Sinec Ins by Siemens

View all CVEs affecting Sinec Ins →

Sinec Ins by Siemens

View all CVEs affecting Sinec Ins →

Solidfire \& Hci Management Node by Netapp

View all CVEs affecting Solidfire \& Hci Management Node →

⚠️ Risk & Real-World Impact

🔴

Worst Case

DHCP server crashes and deletes legitimate leases, causing widespread network connectivity loss for all clients relying on DHCP services.

🟠

Likely Case

DHCP client crashes on affected 32-bit systems, causing individual systems to lose network connectivity until DHCP client restarts.

🟢

If Mitigated

With proper patching, no impact beyond normal DHCP operations.

🌐 Internet-Facing: MEDIUM - DHCP servers exposed to internet could be targeted to cause service disruption, but exploitation requires ability to inject malicious lease data.
🏢 Internal Only: MEDIUM - Internal attackers with ability to manipulate lease files could disrupt DHCP services affecting network connectivity.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to inject or manipulate lease files, which typically requires some level of access to the DHCP server or client system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ISC DHCP 4.1-ESV-R17, ISC DHCP 4.4.3

Vendor Advisory: https://kb.isc.org/docs/cve-2021-25217

Restart Required: Yes

Instructions:

1. Download patched version from ISC website. 2. Stop DHCP service. 3. Backup configuration and lease files. 4. Install updated package. 5. Restart DHCP service.

🔧 Temporary Workarounds

Restrict lease file access

linux

Limit write access to DHCP lease files to prevent malicious lease injection

chmod 640 /var/lib/dhcp/dhcpd.leases
chown root:dhcpd /var/lib/dhcp/dhcpd.leases

Monitor lease file integrity

linux

Implement file integrity monitoring on DHCP lease files

# Use tools like AIDE, Tripwire, or auditd to monitor lease file changes

🧯 If You Can't Patch

  • Implement strict access controls on DHCP lease files to prevent unauthorized modifications
  • Monitor DHCP service health and implement automatic restart mechanisms for crashes

🔍 How to Verify

Check if Vulnerable:

Check ISC DHCP version: dhcpd --version 2>&1 | head -1

Check Version:

dhcpd --version 2>&1 | grep -oE '4\.[0-9]+\.[0-9]+' || dhclient --version 2>&1 | grep -oE '4\.[0-9]+\.[0-9]+'

Verify Fix Applied:

Verify version is 4.1-ESV-R17 or higher, or 4.4.3 or higher

📡 Detection & Monitoring

Log Indicators:

  • DHCP service crashes
  • Unexpected lease deletions
  • Error messages about lease parsing

Network Indicators:

  • Clients failing to obtain/renew IP addresses
  • Increased DHCP discovery/request traffic

SIEM Query:

source="dhcpd.log" AND ("crash" OR "segmentation fault" OR "aborted" OR "unexpected lease")

📊 Metadata

CVE ID: CVE-2021-25217
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-119
Published: May 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25217, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)