Protecting Against the Latest Windows DHCP Vulnerabilities

Tal Zamir
March 19, 2019

Microsoft’s recent security patches, released on “Patch Tuesday,” reveal more vulnerabilities with Windows Dynamic Host Configuration Protocol (DHCP). Here’s what they imply and how Hysolate protects against them.

Quick Summary:

Of the 64 bugs squashed in Redmond’s March update, three caught our eyes: CVE-2019-0697, CVE-2019-0698, and CVE-2019-0726, all of which address holes in the DHCP server component for Windows. It will be the third month in a row with a Critical-rated DHCP bug!

Any of these flaws, both recently discovered and older, could allow an attacker on the local network to achieve remote code execution on a targeted machine simply by sending a malformed DHCP network packet.

Pulling off such an attack, which requires a man-in-the-middle inside your LAN, could lead to  wide-ranging consequences.

Hysolate protects against this. Our unique network isolation safeguards your endpoints, and company secrets, even if an attacker is within your LAN, by segregating DHCP and other network communication.

Explaining the Problem:

Since these vulnerabilities are fairly fresh, we will not help the bad guys by describing or presenting our analysis regarding them. Instead, we will briefly explain another slightly older vulnerability: CVE-2019-0626.

It all starts from the DHCP protocol “vendor specific options”:

This option is used by clients and servers to exchange vendor-specific information. The information is an opaque object of octets, presumably interpreted by vendor-specific code on the clients and servers.  The definition of this information is vendor specific. [RFC2132]

Essentially, the function within the dhcp service core dll fails to validate this option size correctly. Which leads to a potential heap overflow exploitation by every MiTM bad guy resident inside your LAN. So, if the attacker is bypassing other windows heap overflow mitigations, he could potentially achieve both out-of-bounds (OOB) read and write on the DHCP windows service.

An Easy, Effective Solution:

Hysolate’s approach to mitigating such threats is as easy as it is effective. With Hysolate, your machines never communicate directly with any DHCP server in the outside world. Hysolate’s isolated network design ensures your machines get DHCP packets only from the secure network component. Thus, there is no  way to inject or control DHCP response packets directly to the corporate sensitive or even internet environments. Even if an attacker tries to maliciously exploit such vulnerabilities, the malicious packets will never reach their destination.

Learn more about how Hysolate extends network segmentation solutions all the way down to the endpoint. Request a demo with a specialist to see for yourself.

Tal Zamir

Tal is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works. An entrepreneur at heart, he has pioneered multiple breakthrough cybersecurity and virtualization products. Before founding Hysolate, Tal incubated next-gen end-user computing products in the CTO office at VMware. Earlier, he was part of the leadership team at Wanova, a desktop virtualization startup acquired by VMware. Tal began his career in an elite IDF technology unit, leading mission-critical cybersecurity projects that won the prestigious Israeli Defense Award. He holds multiple US patents as well as an M.Sc. degree in Computer Science, and the honor of valedictorian, from the Technion.