SoftEtherVPN/SoftEtherVPN
在 GitHub 查看Enabling SecureNAT dhcp server in virtual hub exposes DHCP requests in local bridge?
Open
#325 建立於 2017年5月18日
bughelp wantedsecurityvulnerability
描述
I have SoftEtherVPN server with:
- a virtual hub for local LAN bridge.
- 17 closed virtual hubs for customers (SecureNAT DHCP server is enabled)
It seems to continuously send 17 dhcp requests into LAN per 2 seconds.
The syslog from BUFFALO router:
[2017/05/18 9:20:11]<14>May 18 09:20:12 syslog: [DHCPS Request incoming from securenat-da50b12b8030(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:12 syslog: [DHCPS Sending ACK to 192.168.2.27]
[2017/05/18 9:20:16]<14>May 18 09:20:12 syslog: [DHCPS Request incoming from securenat-da4b3db9a03a(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:12 syslog: [DHCPS Sending ACK to 192.168.2.98]
[2017/05/18 9:20:16]<14>May 18 09:20:12 syslog: [DHCPS Request incoming from securenat-da27a101f809(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:12 syslog: [DHCPS Sending ACK to 192.168.2.100]
[2017/05/18 9:20:16]<14>May 18 09:20:12 syslog: [DHCPS Request incoming from securenat-da8a4ddc7317(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:12 syslog: [DHCPS Sending ACK to 192.168.2.78]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-da349aac10f2(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.88]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-da239d215ce8(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.94]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-da47cd8d54fe(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.85]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-da4380cb8ce5(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.25]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-dae5a40d4430(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.33]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-daad45651ed1(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.31]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-da871b4ca5e5(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.93]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-da09d62e76d1(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.80]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-da3e3284a753(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.32]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Request incoming from securenat-da545ac308e9(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:13 syslog: [DHCPS Sending ACK to 192.168.2.47]
[2017/05/18 9:20:16]<14>May 18 09:20:14 syslog: [DHCPS Request incoming from securenat-da62aa5a4aa9(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:14 syslog: [DHCPS Sending ACK to 192.168.2.23]
[2017/05/18 9:20:16]<14>May 18 09:20:14 syslog: [DHCPS Request incoming from securenat-dabed6be41c4(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:14 syslog: [DHCPS Sending ACK to 192.168.2.71]
[2017/05/18 9:20:16]<14>May 18 09:20:14 syslog: [DHCPS Request incoming from securenat-da8f880390d9(len:22)]
[2017/05/18 9:20:16]<14>May 18 09:20:14 syslog: [DHCPS Sending ACK to 192.168.2.99]
FYI it says DHCPREQUEST is thrown when secureNAT is enabled on vpnserver. Increasing dhcp_renew_interval will mitigate frequency.
http://tamae.2ch.net/test/read.cgi/sec/1114435660/l50
367名無しさん@お腹いっぱい。2014/02/13(木) 23:26:55.48
vpnserver が secureNAT 使用時に DHCPREQUEST 投げまくるので調べてみた。
Cedar/Virtual.c の dhcp_renew_interval を * 1000 することで解決するみたい