Buggy One One One One – Command Injection Vulnerability on Red Hat Enterprise Linux

A remote code execution vulnerability was discovered in the DHCP client packages in Red Hat Enterprise Linux together with its mates such as Fedora and Cent OS. The bug comes with a fancy number CVE-2018-1111 which makes it a memorable one.

A malicious DHCP server, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol (on a Linux system, configuring network settings usually requires admin/root privileges). The flaw allows you to pass a command where you are supposed to supply data.

Read more on: Warning! Multiple Severe Vulnerabilities Discovered in PHP

Red Hat has been made aware of this flaw by Felix Wilhelm, a Google Security Engineer.

The DHCP (Dynamic Host Configuration Protocol) protocol is used to configure network related information in hosts from a central server. When a host is connected to a network, it can issue DHCP requests to fetch network configuration parameter such as IP address, default router IP, DNS servers, and more.

The DHCP client package dhclient provided by Red Hat has a script /etc/NetworkManager/dispatcher.d/11-dhclient (in Red Hat Enterprise Linux 7) or /etc/NetworkManager/dispatcher.d/10-dhclient (in Red Hat Enterprise Linux 6) for the NetworkManager component, which is executed each time NetworkManager receives a DHCP response from a DHCP server. A malicious DHCP response could cause the script to execute arbitrary shell commands with root privileges.

Here is a tweet from a Barkın Kılıç, a Turkish security enthusiast with his Proof of Concept code for this vulnerability

Vulnerable System/Software:

Red Hat Enterprise Linux Server 6

Red Hat Enterprise Linux Server 7

Red Hat Enterprise Linux 5 is not affected

Updates for Affected Products

Red Hat Enterprise Linux 7 (z-stream)    – RHSA-2018:1453

Red Hat Enterprise Linux 7.4 Extended Update Support – RHSA-2018:1455

Red Hat Enterprise Linux 7.3 Extended Update Support – RHSA-2018:1456

Red Hat Enterprise Linux 7.2 Advanced Update Support, Telco Extended Update Support, and Update Services for SAP Solutions – RHSA-2018:1457

Red Hat Enterprise Linux 6 (z-stream)-  RHSA-2018:1454

Red Hat Enterprise Linux 6.7 Extended Update Support – RHSA-2018:1458

Red Hat Enterprise Linux 6.6 Advanced Update Support and Telco Extended Update Support – RHSA-2018:1459

Red Hat Enterprise Linux 6.5 Advanced Update Support – RHSA-2018:1460

Red Hat Enterprise Linux 6.4 Advanced Update Support – RHSA-2018:1461

Red Hat Enterprise Virtualization 4.2- RHSA-2018:1525, RHSA-2018:1524

In DHCP based environments where Network Manager is used by default, installing updated DHCP packages is strongly recommended. No service restart required, the script is executed only when a DHCP response arrives and not continuously. So, after updating the package, when a new response arrives, the updated script will be executed automatically. Users are urged to keep systems updated and properly patched.


Sreedevi Jayachandran

Cyber Security Professional. She specializes in Threat Intelligence, SOC Designing, and Establishment with a holistic approach. As a young cyber enthusiast, she brings innovative thoughts in the field of practical cybersecurity within culturally diverse and strategically challenging environments

You May Also Like