CVE-2016-2774

high-risk

Published 2016-03-09

ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 does not restrict the number of concurrent TCP sessions, which allows remote attackers to cause a denial of service (INSIST assertion failure or request-processing outage) by establishing many sessions.

Do I need to act?

65.6% chance of exploitation in next 30 days

EPSS score — higher than 34% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (20)

Dhcp

Affected Vendors

Debian Canonical Isc

References (20)

Third Party Advisory http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183458.html

Third Party Advisory http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183640.html

Mailing List http://lists.opensuse.org/opensuse-updates/2016-07/msg00066.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2016-2590.html

Third Party Advisory http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

Third Party Advisory http://www.securityfocus.com/bid/84208

Third Party Advisory http://www.securitytracker.com/id/1035196

Vendor Advisory https://kb.isc.org/article/AA-01354

Third Party Advisory https://lists.debian.org/debian-lts-announce/2019/11/msg00023.html

Third Party Advisory https://usn.ubuntu.com/3586-1/