Red Hat Linux DHCP Client affected by a command injection flaw, patch it now!

Red Hat has announced a critical vulnerability in its DHCP client tracked as CVE-2018-1111 that could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.

Felix Wilhelm from the Google security team discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux, the issue also affects other distros based on it like Fedora.

The vulnerability, tracked as CVE-2018-1111, could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.

“Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.” reads the security advisory published by Red Hat.

“A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.”

The DHCP client application receives network configuration parameters, including IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.

The CVE-2018-1111 command injection flaw resides in the NetworkManager integration script of the DHCP client packages in Red Hat Enterprise Linux.

The researcher Barkın Kılıç published a PoC for the CVE-2018-1111, in the last screenshot the attacker accesses the shell as root.

Wilhelm did not release a PoC exploit code, but he explained that is so short in length that it even can fit in a tweet.

According to Wilhelm, an attacker using a malicious DHCP server, or connected to the same network as the victim, can exploit this vulnerability by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim’s system running vulnerable DHCP client.

The vulnerability affects Red Hat Enterprise Linux 6 and 7, admins should update their packages to the newer versions as soon as they are available.

“Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers,” Red Hat warns.

Below the full list of affected RHEL versions:

Advanced Update Support 6.4; Extended Update Support 7.3; Advanced Update Support 6.6; Red Hat Enterprise Linux 6; Extended Update Support 6.7; Advanced Update Support 7.2; Server TUS (v.6.6); RHEL 7; Extended Update Support 7.4; Virtualization 4 Management Agent for RHEL 7 Hosts; Advanced Update Support 6.5; and Linux Server TUS (v. 7.2).

Red Hat’s update services for SAP Solutions on x86 and IBM Power architectures are also affected.

Fedora has already released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.

Other Linux distros like OpenSUSE and Ubuntu are not affected by the vulnerability because their DHCP client implementation doesn’t include NetworkManager integration script by default.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2018-1111, DHCP Client flaw)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.