DHCP Client Script Code Execution Vulnerability - CVE-2018-1111

Updated -

Overview

Red Hat Product Security is responding to a flaw in the DHCP packages as shipped with Red Hat Enterprise Linux 6 and 7. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute code with administrative privileges on systems obtaining network configuration using DHCP protocol. This issue has been assigned CVE-2018-1111 and has been rated as having a security impact of Critical.

Affected Products

  • Red Hat Enterprise Linux Server 6
  • Red Hat Enterprise Linux Server 7

Notes:

  • RHV-H and RHV-M ships the vulnerable script, but it's not used; because for RHV-M NetworkManager service is turned off by default and in RHV-H Network Manager with DHCP is an unsupported configuration. We plan to re-spin images to ensure latest packages are available to our customers.
  • OpenShift Container Platform nodes will need to apply updates from the RHEL channels. OpenShift Online nodes are not vulnerable due to the VPC (virtual private cloud) mitigating the flaw.
  • OpenStack does not directly use NetworkManager and DHCP, some components may be exposed depending on their configuration​. Please refer to article for detailed advice.
  • The upstream DHCP project (http://www.isc.org/downloads/DHCP/) does not provide the impacted script and is not impacted by this flaw.

Background Information

The DHCP protocol is used to configure network related information in hosts from a central server. When a host is connected to a network, it can issue DHCP requests to fetch network configuration parameter such as IP address, default router IP, DNS servers, and more.

Additional Details

DHCP client packages provide a script /etc/NetworkManager/dispatcher.d/11-dhclient (in Red Hat Enterprise Linux 7) or /etc/NetworkManager/dispatcher.d/10-dhclient (in Red Hat Enterprise Linux 6) for the NetworkManager component, which is executed each time NetworkManager receives a DHCP response from a DHCP server. A malicious DHCP response could cause the script to execute arbitrary shell commands with root privileges.

Resolution

Red Hat strongly recommends to update impacted systems. Links to released Errata can be found on the Resolve tab in our Vulnerability Article.

No service restart required, script is executed only when a dhcp response arrives and not continuously. So after updating the package, when a new response arrives, updated script will be executed automatically.

Comments