CVE-2021-42755 Overview
CVE-2021-42755 is an integer overflow / wraparound vulnerability (CWE-190) affecting the DHCP daemon (dhcpd) in multiple Fortinet products. This vulnerability allows an unauthenticated attacker positioned on an adjacent network segment to crash the dhcpd daemon, resulting in a denial of service condition. The flaw impacts critical network infrastructure components including FortiOS, FortiSwitch, FortiProxy, FortiRecorder, and FortiVoiceEnterprise across numerous versions.
Critical Impact
An unauthenticated network-adjacent attacker can crash the DHCP daemon, disrupting network address assignment and potentially causing widespread network connectivity issues across the affected Fortinet infrastructure.
Affected Products
- Fortinet FortiSwitch 7.0.2 and below, 6.4.9 and below, 6.2.x, 6.0.x
- Fortinet FortiOS 7.0.2 and below, 6.4.8 and below, 6.2.10 and below, 6.0.x
- Fortinet FortiProxy 7.0.0, 2.0.6 and below, 1.2.x, 1.1.x, 1.0.x
- Fortinet FortiRecorder 6.4.2 and below, 6.0.10 and below
- Fortinet FortiVoiceEnterprise 6.4.3 and below, 6.0.10 and below
Discovery Timeline
- 2022-07-18 - CVE-2021-42755 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-42755
Vulnerability Analysis
This vulnerability resides in the DHCP daemon (dhcpd) component that is shared across multiple Fortinet products. The integer overflow condition occurs when the daemon processes specially crafted DHCP requests. When an integer value exceeds its maximum storage capacity, it wraps around to a minimum value, leading to unexpected behavior in memory allocation or buffer size calculations. In this case, the overflow results in a crash of the dhcpd process rather than memory corruption that could lead to code execution.
The attack requires the adversary to be on an adjacent network segment (same LAN or broadcast domain), which limits the exposure compared to remotely exploitable vulnerabilities. However, in enterprise environments where Fortinet devices serve as the primary DHCP infrastructure, exploitation could cause significant operational disruption by preventing new devices from obtaining IP addresses and potentially disrupting lease renewals.
Root Cause
The root cause is an integer overflow vulnerability (CWE-190) in the dhcpd daemon's handling of DHCP protocol data. When arithmetic operations on integer values exceed the maximum value that can be stored in the integer type, the value wraps around. This wraparound can cause incorrect buffer size calculations, leading to improper memory operations that crash the daemon. The vulnerable code fails to properly validate input values before performing arithmetic operations that could overflow.
Attack Vector
The attack vector requires network adjacency, meaning the attacker must be on the same local network segment as the vulnerable Fortinet device. The attacker sends specially crafted DHCP packets to the target device's dhcpd service. No authentication is required to exploit this vulnerability, and no user interaction is necessary.
The exploitation flow typically involves:
- Attacker connects to the same network segment as the vulnerable Fortinet device
- Attacker crafts malicious DHCP packets designed to trigger the integer overflow
- The dhcpd daemon processes the malicious packets
- Integer overflow occurs during packet processing
- The daemon crashes, causing denial of service
Since no verified code examples are available for this vulnerability, organizations should refer to the FortiGuard Security Advisory for detailed technical information about the exploitation mechanism.
Detection Methods for CVE-2021-42755
Indicators of Compromise
- Unexpected crashes or restarts of the dhcpd service on Fortinet devices
- DHCP service unavailability or client devices failing to obtain IP addresses
- Log entries indicating dhcpd process termination or core dumps
- Unusual DHCP traffic patterns from specific source MAC addresses on the local network
Detection Strategies
- Monitor Fortinet device logs for dhcpd daemon crashes or unexpected service restarts
- Implement network traffic analysis to detect anomalous DHCP packet patterns on local network segments
- Configure SNMP traps or syslog alerts for DHCP service status changes
- Deploy network sensors capable of inspecting DHCP protocol traffic for malformed packets
Monitoring Recommendations
- Enable comprehensive logging on all affected Fortinet devices and forward logs to a SIEM platform
- Set up automated alerts for DHCP service availability and health status
- Implement baseline monitoring for DHCP traffic volumes and packet characteristics
- Review DHCP-related logs regularly for signs of exploitation attempts or service instability
How to Mitigate CVE-2021-42755
Immediate Actions Required
- Identify all Fortinet devices in your environment running affected software versions
- Prioritize patching for devices providing DHCP services on critical network segments
- Apply network segmentation to limit exposure of DHCP services to trusted network segments only
- Consider implementing secondary DHCP servers as failover during the patching process
Patch Information
Fortinet has released security updates to address this vulnerability. Organizations should upgrade to the following minimum versions:
- FortiOS: Upgrade to version 7.0.3 or later, 6.4.9 or later, or 6.2.11 or later
- FortiSwitch: Upgrade to version 7.0.3 or later or 6.4.10 or later
- FortiProxy: Upgrade to version 7.0.1 or later or 2.0.7 or later
- FortiRecorder: Upgrade to version 6.4.3 or later or 6.0.11 or later
- FortiVoiceEnterprise: Upgrade to version 6.4.4 or later or 6.0.11 or later
For detailed patch information and download links, refer to the FortiGuard Security Advisory FG-IR-21-155.
Workarounds
- Restrict network access to DHCP services by implementing strict VLAN segmentation
- Use 802.1X port-based network access control to authenticate devices before they can send DHCP requests
- Deploy DHCP snooping on network switches to filter potentially malicious DHCP traffic
- Consider using alternative DHCP servers on critical segments until patches can be applied
# Example: Enable DHCP snooping on network switches (vendor-specific syntax varies)
# This helps filter DHCP traffic and can mitigate some attack vectors
# FortiSwitch configuration example
config switch-controller dhcp-snooping
set trusted-interface "port1"
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
