CVE-2020-7461

HIGH

FreeBSD Heap Overflow via DHCP Option 119 Handling

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-7461. PoCs published by knqyf263, 0xkol.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2020-7461, a DHCP vulnerability (NAME:WRECK) in FreeBSD. The exploit causes a DoS by sending a malformed DHCP ACK packet with an invalid forward pointer in the DHCP Domain Search option, leading to a segmentation fault in the victim's dhclient.

Description

In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap overflow. The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit.

Exploits (2)

nomisec WORKING POC 15 stars

by knqyf263 · poc

https://github.com/knqyf263/CVE-2020-7461

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2020-7461, a DHCP vulnerability (NAME:WRECK) in FreeBSD. The exploit causes a DoS by sending a malformed DHCP ACK packet with an invalid forward pointer in the DHCP Domain Search option, leading to a segmentation fault in the victim's dhclient.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: FreeBSD 12.1-STABLE r364849 (dhclient)

No auth needed

Prerequisites: Network access to the target's DHCP client · Ability to sniff and respond to DHCP requests

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 0xkol · poc

https://github.com/0xkol/freebsd-dhclient-poc

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2020-7461, a heap-based buffer overflow in FreeBSD's dhclient when parsing DHCP option 119. The exploit leverages a compression scheme flaw in the `find_search_domain_name_len` function to trigger a buffer overrun.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: FreeBSD dhclient (versions prior to the fix)

No auth needed

Prerequisites: Network access to a vulnerable FreeBSD system running dhclient

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://security.FreeBSD.org/advisories/FreeBSD-SA-20:26.dhclient.asc

Third Party Advisory x_refsource_misc

https://cert-portal.siemens.com/productcert/pdf/ssa-288459.pdf

Scores

CVSS v3 7.3

EPSS 0.0447

EPSS Percentile 90.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-787

Status published

Products (5)

freebsd/freebsd 11.3 (13 CPE variants)

freebsd/freebsd 11.4 (3 CPE variants)

freebsd/freebsd 12.1 (9 CPE variants)

siemens/simatic_rf350m_firmware

siemens/simatic_rf650m_firmware

Published Mar 26, 2021

Tracked Since Feb 18, 2026