Is my RHOSP environment affected by CVE-2018-1111?

Solution Verified - Updated -

Environment

  • Red Hat OpenStack Platform 12
  • Red Hat OpenStack Platform 11
  • Red Hat OpenStack Platform 10
  • Red Hat OpenStack Platform 9
  • Red Hat OpenStack Platform 8

Issue

RHEL servers which have been configured to use NetworkManager and DHCP for network configuration are affected by CVE-2018-1111. A malicious DHCP server could use this flaw to execute code with root privileges.

This vulnerability specifically impacts the RHEL dhclient package. The critical RHSA update issued for this vulnerability requires that customers install the updated package on all RHEL systems, specifically if using NetworkManager with interfaces configured using DHCP.

This document is written to answer the following questions:

  • Is my RHOSP undercloud vulnerable to CVE-2018-1111?
  • Are instances in my RHOSP cloud vulnerable to CVE-2018-1111?
  • What can I do to protect my RHOSP environment?

Resolution

RHOSP is a layered product atop RHEL, and all RHEL servers that might have an interface managed by NetworkManager should be updated as soon as possible.

RHEL's NetworkManager is not used by RHOSP and it is specifically disabled on interfaces managed by RHOSP. Despite this, it is possible for NetworkManager to be installed on systems including a RHOSP deployment. If NetworkManager has been installed and enabled, and one or more interfaces are using DHCP for configuration, a RHOSP deployment is vulnerable to CVE-2018-1111.

Additionally, all RHEL instances and images should be updated as soon as possible to ensure they receive the updated dhclient package. Although network configuration within hosted RHEL instances on a RHOSP deployment is performed by the cloud-init package rather than NetworkManager, instances can still install dhclient, which would make them vulnerable to CVE-2018-1111 (instances often use DHCP for instance network-address assignment).

RHOSP Servers Affected by CVE-2018-1111

In the following instances, RHOSP does not manage network interfaces and NetworkManager may be configured to configure interfaces using DHCP. In these cases, the risk is probably lowered due to proper network design and implementation and the usage of DHCP-allocated addresses on deployed cloud infrastructure is uncommon and unlikely. However, these nodes should still be reviewed.

Undercloud Node (director)

The undercloud can have an external interface that is controlled by NetworkManager and is configured using DHCP. Even then, the undercloud is only vulnerable if an attacker is able to host a rogue DHCP server where protection against DHCP spoofing is not configured, or is able to compromise an authoritative DHCP server and make malicious modifications to configuration.

Overcloud Nodes

Overcloud nodes are provisioned on a private provisioning network. During the initial provisioning of these nodes by Director, NetworkManager and DHCP can be enabled and used for network configuration. During the RHOSP deployment process, NetworkManager is disabled and a static IP address is configured instead. During the short window of time between the initial deployment of the node and network configuration being performed on the deployed instance, the node is vulnerable.

RHOSP Instances

By default, RHOSP instances are not at risk:
The default RHOSP firewall driver is configured to drop any DHCP server messages originating from instances. As a result of this default, it is impossible to successfully exploit the CVE-2018-1111 vulnerability by installing a rogue DHCP server on an instance.
Additional protection is also provided by the port_security_enabled setting which is enabled by default.

However, disabling either of these defaults puts the virtual network at risk.

Recommendation

Regardless of the NetworkManager status, because this is a Critical RHSA, all RHEL systems, instances, and images should be updated as soon as possible.

Root Cause

The DHCP client package dhclient provided by Red Hat has a dispatcher.d script for the NetworkManager component, which is executed each time NetworkManager receives a DHCP response from a DHCP server. A malicious DHCP response could cause the script to execute arbitrary shell commands with root privileges.

Links

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments