-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability (CVE-2020-13529) stems from the improper handling of DHCP FORCERENEW packets in Systemd's DHCP client, as introduced by commit 615c1467c81411bf1d19fd7092e8995b5ebadc13. The commit adds support for FORCERENEW but, as stated in its own message, 'does not support authentication.'
client_handle_forcerenew is directly responsible for processing these FORCERENEW packets without the necessary authentication, making it the primary vulnerable function introduced by this patch.client_receive_message_udp function was modified to relax XID (transaction ID) validation when the client is in DHCP_STATE_BOUND (the state for handling FORCERENEW). This change aids an attacker by making it easier for their crafted FORCERENEW packet to be accepted and processed.client_handle_ack function then processes this malicious ACK packet, applying the attacker's desired network configuration. While client_handle_ack was not made vulnerable by a direct code change in this commit, it becomes the execution point for the attack's payload due to the preceding flaws.These functions would appear in a runtime profile during exploitation: client_receive_message_udp would receive both the malicious FORCERENEW and ACK packets, client_handle_forcerenew would process the FORCERENEW, and client_handle_ack would process the subsequent spoofed ACK.
Ongoing coverage of React2Shell