Micropatch is Available for Memory Corruption in DHCP Message Processing (CVE-2020-0662)

by Mitja Kolsek, the 0patch Team

Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-0662, a remote memory corruption vulnerability in DHCP message processing.

This vulnerability was patched by Microsoft with February 2020 Updates, but Windows 7 and Server 2008 users without Extended Security Updates remained vulnerable.

Security researcher Spencer McIntyre (@zeroSteiner) analyzed this vulnerability and published a POC, from which we could reproduce the issue and create a micropatch.

The vulnerability lies in accepting a hardware address in a DHCP packet that is longer than 20h bytes, resulting in out-of-bounds read or write, depending on the Windows version. Our micropatch is logically identical to Microsoft's: it adds a check for the HW address length:

MODULE_PATH "..\Affected_Modules\ipnathlp.dll"
PATCH_ID 454
PATCH_FORMAT_VER 2
VULN_ID 5909
PLATFORM win64

patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x1AB45
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT ipnathlp.dll!0x1AB94   
   
    ; Added check for Hardware address length, must be <= 20
   
    code_start
        mov al, [rsi+0xE6] ; [rsi+0xE6] = value of hardware address length
        cmp al, 0x20 ; compare hardware address length with 0x20
        jbe RestoreCodeFlow ; jump if hradware address length is <= 20
        call PIT_ExploitBlocked ; exploit blocked shown if hardware address length is > 20
        call GetText ; get address for Error text
        db 'DhcpProcessMessage: ignoring message since HWAdderLength is greater than MAX_HARDWARE_ADDRESS_LENGTH',0 ; Error message
    GetText:
        pop rdx ; set rdx to error code address like MS org patch
        jmp PIT_0x1AB94 ; jump to ensure same code flow like MS patch
    RestoreCodeFlow:
    code_end
   
patchlet_end

We'd like to thank Spencer McIntyre (@zeroSteiner) for sharing their analysis and POC, and for additional assistance in reproducing the bug, which allowed us to create this micropatch for Windows users without official security updates.

This micropatch is immediately available to all 0patch users with a PRO license, and is targeted at Windows 7 and Windows Server 2008 R2 users without Extended Security Updates. To obtain the micropatch and have it applied on your computer(s) along with other micropatches included with a PRO license, create an account in 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.

To learn more about 0patch, please visit our Help Center.