Protecting Against the Latest Windows DHCP Vulnerabilities

By Aviram Shemesh. March 19, 2019

Microsoft’s recent security patches, released on “Patch Tuesday,” reveal more vulnerabilities with Windows Dynamic Host Configuration Protocol (DHCP). Here’s what they imply and how Hysolate protects against them.

Quick Summary:

Of the 64 bugs squashed in Redmond’s March update, three caught our eyes: CVE-2019-0697, CVE-2019-0698, and CVE-2019-0726, all of which address holes in the DHCP server component for Windows. It will be the third month in a row with a Critical-rated DHCP bug!

Any of these flaws, both recently discovered and older, could allow an attacker on the local network to achieve remote code execution on a targeted machine simply by sending a malformed DHCP network packet.

Pulling off such an attack, which requires a man-in-the-middle inside your LAN, could lead to  wide-ranging consequences.

Hysolate protects against this. Our unique network isolation safeguards your endpoints, and company secrets, even if an attacker is within your LAN, by segregating DHCP and other network communication.

Explaining the Problem:

Since these vulnerabilities are fairly fresh, we will not help the bad guys by describing or presenting our analysis regarding them. Instead, we will briefly explain another slightly older vulnerability: CVE-2019-0626.

It all starts from the DHCP protocol “vendor specific options”:

This option is used by clients and servers to exchange vendor-specific information. The information is an opaque object of octets, presumably interpreted by vendor-specific code on the clients and servers.  The definition of this information is vendor specific. [RFC2132]

Essentially, the function within the dhcp service core dll fails to validate this option size correctly. Which leads to a potential heap overflow exploitation by every MiTM bad guy resident inside your LAN. So, if the attacker is bypassing other windows heap overflow mitigations, he could potentially achieve both out-of-bounds (OOB) read and write on the DHCP windows service.

An Easy, Effective Solution:

Hysolate’s approach to mitigating such threats is as easy as it is effective. With Hysolate, your machines never communicate directly with any DHCP server in the outside world. Hysolate’s isolated network design ensures your machines get DHCP packets only from the secure network component. Thus, there is no  way to inject or control DHCP response packets directly to the corporate sensitive or even internet environments. Even if an attacker tries to maliciously exploit such vulnerabilities, the malicious packets will never reach their destination.

About the Author

Aviram is a skilled cyber security researcher and manager. He serves as Hysolate's Security Research Team Lead.

Share this article: