A remote code execution vulnerability was discovered in the DHCP client packages in Red Hat Enterprise Linux together with its mates such as Fedora and Cent OS. The bug comes with a fancy number CVE-2018-1111 which makes it a memorable one.
A malicious DHCP server, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol (on a Linux system, configuring network settings usually requires admin/root privileges). The flaw allows you to pass a command where you are supposed to supply data.
Red Hat has been made aware of this flaw by Felix Wilhelm, a Google Security Engineer.
The DHCP (Dynamic Host Configuration Protocol) protocol is used to configure network related information in hosts from a central server. When a host is connected to a network, it can issue DHCP requests to fetch network configuration parameter such as IP address, default router IP, DNS servers, and more.
The DHCP client package dhclient provided by Red Hat has a script /etc/NetworkManager/dispatcher.d/11-dhclient (in Red Hat Enterprise Linux 7) or /etc/NetworkManager/dispatcher.d/10-dhclient (in Red Hat Enterprise Linux 6) for the NetworkManager component, which is executed each time NetworkManager receives a DHCP response from a DHCP server. A malicious DHCP response could cause the script to execute arbitrary shell commands with root privileges.
Here is a tweet from a Barkın Kılıç, a Turkish security enthusiast with his Proof of Concept code for this vulnerability
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux 5 is not affected
Updates for Affected Products
Red Hat Enterprise Linux 7 (z-stream) – RHSA-2018:1453
Red Hat Enterprise Linux 7.4 Extended Update Support – RHSA-2018:1455
Red Hat Enterprise Linux 7.3 Extended Update Support – RHSA-2018:1456
Red Hat Enterprise Linux 7.2 Advanced Update Support, Telco Extended Update Support, and Update Services for SAP Solutions – RHSA-2018:1457
Red Hat Enterprise Linux 6 (z-stream)- RHSA-2018:1454
Red Hat Enterprise Linux 6.7 Extended Update Support – RHSA-2018:1458
Red Hat Enterprise Linux 6.6 Advanced Update Support and Telco Extended Update Support – RHSA-2018:1459
Red Hat Enterprise Linux 6.5 Advanced Update Support – RHSA-2018:1460
Red Hat Enterprise Linux 6.4 Advanced Update Support – RHSA-2018:1461
In DHCP based environments where Network Manager is used by default, installing updated DHCP packages is strongly recommended. No service restart required, the script is executed only when a DHCP response arrives and not continuously. So, after updating the package, when a new response arrives, the updated script will be executed automatically. Users are urged to keep systems updated and properly patched.