CVE-2020-13529: An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP...

The vulnerability (CVE-2020-13529) stems from the improper handling of DHCP FORCERENEW packets in Systemd's DHCP client, as introduced by commit 615c1467c81411bf1d19fd7092e8995b5ebadc13. The commit adds support for FORCERENEW but, as stated in its own message, 'does not support authentication.'

1. The new function client_handle_forcerenew is directly responsible for processing these FORCERENEW packets without the necessary authentication, making it the primary vulnerable function introduced by this patch.
2. The client_receive_message_udp function was modified to relax XID (transaction ID) validation when the client is in DHCP_STATE_BOUND (the state for handling FORCERENEW). This change aids an attacker by making it easier for their crafted FORCERENEW packet to be accepted and processed.
3. Once the unauthenticated FORCERENEW packet is processed, the client becomes susceptible to a spoofed DHCP ACK packet. The existing client_handle_ack function then processes this malicious ACK packet, applying the attacker's desired network configuration. While client_handle_ack was not made vulnerable by a direct code change in this commit, it becomes the execution point for the attack's payload due to the preceding flaws.

These functions would appear in a runtime profile during exploitation: client_receive_message_udp would receive both the malicious FORCERENEW and ACK packets, client_handle_forcerenew would process the FORCERENEW, and client_handle_ack would process the subsequent spoofed ACK.