[th/systemd-dhcp-no-forcerenew] dhcp/systemd: ignore FORCERENEW requests for DHCPV4 to workaround CVE-2020-13529 (!898) · Merge requests · NetworkManager / NetworkManager

Thomas Haller requested to merge th/systemd-dhcp-no-forcerenew into main Jun 17, 2021

The FORCERENEW reqest was not authenticated (because neither rfc3118 nor rfc6704) is implemented. That is a potential security issue.

As workaround, patch the source to ignore those requests. Note that also nettools implementation ignores FORCERENEW requests, so if there would be a need to handle them, then it would be important to improve the nettools code (which is the main implementation).

The systemd DHCP plugin is no longer used by default. The user explicitly has to enable it via the undocumented "[main].dhcp=systemd" option in NetworkManager.conf. Hence, this change is probably not very important either way.

See-also: https://bugzilla.redhat.com/show_bug.cgi?id=1959398 See-also: https://github.com/systemd/systemd/issues/16774 https://bugzilla.redhat.com/show_bug.cgi?id=1966123

Admin message

[th/systemd-dhcp-no-forcerenew] dhcp/systemd: ignore FORCERENEW requests for DHCPV4 to workaround CVE-2020-13529

Merge request reports