Red Hat recently announced a severe vulnerability in its DHCP client, CVE-2018-1111 could be exploited by malicious actors to execute arbitrary commands with administrator privileges on specific systems.
A member of the information security team of Google, Felix Wilhelm, found a critical vulnerability of remote injection of commands in the implementation of Red Hat Linux DHCP client; the problem also affects other distributions, such as Fedora.
Malicious hackers could exploit the vulnerability, CVE-2018-1111, to execute arbitrary commands with administrator privileges on specific systems.
“Red Hat is aware of a command injection vulnerability found in a script included in the DHCP client packages on Red Hat Enterprise Linux 6 and 7.” says the Red Hat security advisory.
“A malicious DHCP server, or a malicious actor in the local network capable of impersonating DHCP responses, can use this vulnerability to execute arbitrary commands with administrator privileges on systems using NetworkManager that is configured to obtain network configuration using the protocol DHCP. ”
Information security professionals comment that the DHCP client application receives the network configuration parameters, including the IP address and DNS servers, from the DHCP server (Dynamic Host Control Protocol).
The injection failure of the CVE-2018-1111 command falls on the NetworkManager integration script of the DHCP client packages on Red Hat Enterprise Linux.
The information security researcher Barkın Kılıç published a PoC for the CVE-2018-1111, where you can see how the attacker accesses the shell as root.
Felix Wilhelm did not show a PoC exploit code, but said that it is so short that it can even fit in a tweet.
The security expert said that a hacker using a malicious DHCP server or connected to the same network as the victim can use this vulnerability by falsifying DHCP responses, allowing him to execute arbitrary commands with administrator privileges in the system of the victim running the vulnerable DHCP client.
As mentioned in the security advisor, the vulnerability affects Red Hat Enterprise Linux 6 and 7. It is recommended that administrators update their packages to the newer versions as soon as possible.
Red Hat also said that, “Users also have the option to remove or disable the vulnerable script, but this will prevent some configuration parameters provided by the DHCP server from being configured on a local system, such as the addresses of local servers in NTP or NIS.”
The information security expert said that, some Linux distros like OpenSUSE and Ubuntu are not strained by the vulnerability because their DHCP client implementation doesn’t include NetworkManager integration script by default. The experts leave us the full list of affected RHEL versions:
Advanced Update Support 6.4; Extended Update Support 7.3; Advanced Update Support 6.6; Red Hat Enterprise Linux 6; Extended Update Support 6.7; Advanced Update Support 7.2; Server TUS (v.6.6); RHEL 7; Extended Update Support 7.4; Virtualization 4 Management Agent for RHEL 7 Hosts; Advanced Update Support 6.5; and Linux Server TUS (v. 7.2).
Other affected services include the Red Hat update for SAP Solutions in the x86 and IBM Power architectures. Fedora has already released new versions of DHCP packages containing rectifications for Fedora 26, 27 and 28.