DHCP Client Script Code Execution Vulnerability - CVE-2018-1111
Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.
A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.
Background Information
The DHCP protocol is used to configure network related information in hosts from a central server. When a host is connected to a network, it can issue DHCP requests to fetch network configuration parameter such as IP address, default router IP, DNS servers, and more.
The DHCP client package dhclient provided by Red Hat has a script /etc/NetworkManager/dispatcher.d/11-dhclient (in Red Hat Enterprise Linux 7) or /etc/NetworkManager/dispatcher.d/10-dhclient (in Red Hat Enterprise Linux 6) for the NetworkManager component, which is executed each time NetworkManager receives a DHCP response from a DHCP server. A malicious DHCP response could cause the script to execute arbitrary shell commands with root privileges.
Acknowledgments
Red Hat would like to thank Felix Wilhelm from the Google Security Team for reporting this flaw.
Impacted Products
Red Hat Product Security has rated this issue (CVE-2018-1111) as having a security impact of Critical
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux Server 6
- Red Hat Enterprise Linux Server 7
Notes:
- Red Hat Enterprise Virtualization 4.1 Hypervisor and Management Appliance include the vulnerable script, but it is not used; because for RHV-M the NetworkManager service is turned off by default and in the Hypervisor, Network Manager with DHCP is an unsupported configuration. Red Hat Enterprise Virtualization 4.2 includes the updated packages that address this flaw.
- OpenShift Container Platform nodes will need to apply updates from the RHEL channels. OpenShift Online nodes are not vulnerable due to the VPC (virtual private cloud) mitigating the flaw.
- OpenStack does not directly use NetworkManager and DHCP, some components may be exposed depending on their configuration. Please refer to article for detailed advice.
- The upstream dhcp project (http://www.isc.org/downloads/DHCP/) does not provide the impacted script and is not impacted by this flaw.
No service restart required, script is executed only when a dhcp response arrives and not continuously. So after updating the package, when a new response arrives, updated script will be executed automatically.
All Red Hat customers running affection versions of dhclient package are strongly recommended to update packages as soon as they available.
Updates for Affected Products
| Product | Package | Advisory/Update |
|---|---|---|
| Red Hat Enterprise Linux 7 (z-stream) | dhclient | RHSA-2018:1453 |
| Red Hat Enterprise Linux 7.4 Extended Update Support * | dhclient | RHSA-2018:1455 |
| Red Hat Enterprise Linux 7.3 Extended Update Support * | dhclient | RHSA-2018:1456 |
Red Hat Enterprise Linux 7.2 Advanced Update Support, Telco Extended Update Support, and Update Services for SAP Solutions **,***,**** | dhclient | RHSA-2018:1457 |
| Red Hat Enterprise Linux 6 (z-stream) | dhclient | RHSA-2018:1454 |
| Red Hat Enterprise Linux 6.7 Extended Update Support * | dhclient | RHSA-2018:1458 |
| Red Hat Enterprise Linux 6.6 Advanced Update Support and Telco Extended Update Support **,*** | dhclient | RHSA-2018:1459 |
| Red Hat Enterprise Linux 6.5 Advanced Update Support ** | dhclient | RHSA-2018:1460 |
| Red Hat Enterprise Linux 6.4 Advanced Update Support ** | dhclient | RHSA-2018:1461 |
| Red Hat Enterprise Virtualization 4.2 | rhvm-appliance | RHSA-2018:1525 |
Red Hat Enterprise Virtualization 4.2 | redhat-virtualization-host | RHSA-2018:1524 |
* An active EUS subscription is required for access to this patch. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.
What is the Red Hat Enterprise Linux Extended Update Support Subscription?
** An active AUS subscription is required for access to this patch in Red Hat Enterprise Linux Advanced Update Support.
What is Advanced mission critical Update Support (AUS)?
*** An active TUS subscription is required for access to this patch in Red Hat Enterprise Linux Telco Extended Update Support.
**** An active RHEL for SAP Solutions subscription is required for access to this patch in Red Hat Enterprise Linux Update Services for SAP Solutions.
What is the Red Hat Enterprise Linux for SAP Solutions subscription?
MITIGATION
In DHCP based environments where NetworkManager is used by default, installing updated DHCP packages is strongly recommended.
NOTES :
Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers. Red Hat strongly recommends to update to packages which resolve this issue as soon as possible.
Systems using static IP configuration are not affected by this issue. Systems using dynamic IP configuration from DHCP server that do not use NetworkManager and use initrc scripts are also not affected, as the vulnerable script is not executed.
Comments