Buggy One One One One – Command Injection Vulnerability on Red Hat Enterprise Linux

Red Hat Enterprise Linux

A remote code execution vulnerability was discovered in the DHCP client packages in Red Hat Enterprise Linux together with its mates such as Fedora and Cent OS. The bug comes with a fancy number CVE-2018-1111 which makes it a memorable one.

A malicious DHCP server, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol (on a Linux system, configuring network settings usually requires admin/root privileges). The flaw allows you to pass a command where you are supposed to supply data.

Read more on: Warning! Multiple Severe Vulnerabilities Discovered in PHP

Red Hat has been made aware of this flaw by Felix Wilhelm, a Google Security Engineer.

The DHCP (Dynamic Host Configuration Protocol) protocol is used to configure network related information in hosts from a central server. When a host is connected to a network, it can issue DHCP requests to fetch network configuration parameter such as IP address, default router IP, DNS servers, and more.

The DHCP client package dhclient provided by Red Hat has a script /etc/NetworkManager/dispatcher.d/11-dhclient (in Red Hat Enterprise Linux 7) or /etc/NetworkManager/dispatcher.d/10-dhclient (in Red Hat Enterprise Linux 6) for the NetworkManager component, which is executed each time NetworkManager receives a DHCP response from a DHCP server. A malicious DHCP response could cause the script to execute arbitrary shell commands with root privileges.

Here is a tweet from a Barkın Kılıç, a Turkish security enthusiast with his Proof of Concept code for this vulnerability

Vulnerable System/Software:

Red Hat Enterprise Linux Server 6

Red Hat Enterprise Linux Server 7

Red Hat Enterprise Linux 5 is not affected

Updates for Affected Products

Red Hat Enterprise Linux 7 (z-stream)    – RHSA-2018:1453

Red Hat Enterprise Linux 7.4 Extended Update Support – RHSA-2018:1455

Red Hat Enterprise Linux 7.3 Extended Update Support – RHSA-2018:1456

Red Hat Enterprise Linux 7.2 Advanced Update Support, Telco Extended Update Support, and Update Services for SAP Solutions – RHSA-2018:1457

Red Hat Enterprise Linux 6 (z-stream)-  RHSA-2018:1454

Red Hat Enterprise Linux 6.7 Extended Update Support – RHSA-2018:1458

Red Hat Enterprise Linux 6.6 Advanced Update Support and Telco Extended Update Support – RHSA-2018:1459

Red Hat Enterprise Linux 6.5 Advanced Update Support – RHSA-2018:1460

Red Hat Enterprise Linux 6.4 Advanced Update Support – RHSA-2018:1461

Red Hat Enterprise Virtualization 4.2- RHSA-2018:1525, RHSA-2018:1524

In DHCP based environments where Network Manager is used by default, installing updated DHCP packages is strongly recommended. No service restart required, the script is executed only when a DHCP response arrives and not continuously. So, after updating the package, when a new response arrives, the updated script will be executed automatically. Users are urged to keep systems updated and properly patched.

Comments

Please rate this content