A pair of vulnerabilities in the DHCP client in Windows 10 and Windows Server 2019 allows attackers to execute code remotely, according to researchers at security firm Positive Technologies. DHCP is used on wired and wireless networks to assign IP addresses and other network configuration information.
“An attacker configures a DHCP server on their computer. The server responds to network configuration requests with malformed packets. On some networks, this attack is possible from a mobile phone or tablet,” Positive Technologies researcher Mikhail Tsvetkov said in a press release. “Then the attacker waits for a vulnerable Windows 10 computer to ask for a renewal of its IP address lease, which usually happens every few hours. By sending this invalid response, the attacker can obtain the rights of an anonymous user on the victim computer.”
Exploitation at this stage is still challenging for attackers, as anonymous users have limited system privileges, preventing access to system folders, the Windows registry, and modifying other user and system processes. It does, however, provide a useful entry point for continued escalation by pairing with other vulnerabilities.
Nominally, attackers must be on the same network as the targeted system, though for organizations where DHCP Relay is used to use external DHCP servers, this limitation can be bypassed.
The pair of vulnerabilities, designated as CVE-2019-0697 and CVE-2019-0726, rely on sending “an abnormally large number of options in the DHCP response,” and a specially-crafted list of DNS suffixes, respectively. The vulnerabilities were patched in the March 2019 Patch Tuesday round of security updates.