Bug 1567974 (CVE-2018-1111)
Summary: | CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | bmcclain, cperry, dblechte, dcantrell, eedri, gmollett, istojmir, jpopelka, kgrant, lpol, lrock, mgoldboi, michal.skrivanek, noobusinghacks, omejzlik, pbrobinson, pemensik, psklenar, pzhukov, rcosta, sbonazzo, security-response-team, sherold, slawomir, thozza, ykaul, ylavi, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-05-17 08:21:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1570894, 1570895, 1570896, 1570897, 1570898, 1570899, 1570900, 1571949, 1571950, 1571951, 1571952, 1572194, 1574837, 1578362, 1578363 | ||
Bug Blocks: | 1567979 |
Description
Adam Mariš
2018-04-16 13:57:43 UTC
Acknowledgments: Name: Felix Wilhelm (Google Security Team) Mitigation: Please access https://access.redhat.com/security/vulnerabilities/3442151 for information on how to mitigate this issue. External References: https://access.redhat.com/security/vulnerabilities/3442151 (In reply to Adam Mariš from comment #0) > A command injection vulnerability was found in 11-dhclient script provided > by dhcp-client located in /etc/NetworkManager/dispatcher.d/11-dhclient. The script and package name slightly differs between Red Hat Enterprise Linux and Fedora versions: - In Red Hat Enterprise Linux 6, the script is included in the dhclient package and is located in /etc/NetworkManager/dispatcher.d/10-dhclient - In Red Hat Enterprise Linux 7, the script is included in the dhclient package and is located in /etc/NetworkManager/dispatcher.d/11-dhclient - In the current Fedora versions, the script is included in the dhcp-client package and is located in /etc/NetworkManager/dispatcher.d/11-dhclient The DHCP client package was renamed from dhclient to dhcp-client in Fedora 22: https://src.fedoraproject.org/cgit/rpms/dhcp.git/commit/?id=a0d47e7ac135c54863cb164adb811443f676aa17 Created dhcp tracking bugs for this issue: Affects: fedora-all [bug 1578362] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1453 https://access.redhat.com/errata/RHSA-2018:1453 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1454 https://access.redhat.com/errata/RHSA-2018:1454 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2018:1455 https://access.redhat.com/errata/RHSA-2018:1455 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1454 https://access.redhat.com/errata/RHSA-2018:1454 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Extended Update Support Via RHSA-2018:1456 https://access.redhat.com/errata/RHSA-2018:1456 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2018:1458 https://access.redhat.com/errata/RHSA-2018:1458 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1454 https://access.redhat.com/errata/RHSA-2018:1454 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions Red Hat Enterprise Linux 7.2 Telco Extended Update Support Via RHSA-2018:1457 https://access.redhat.com/errata/RHSA-2018:1457 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2018:1460 https://access.redhat.com/errata/RHSA-2018:1460 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2018:1461 https://access.redhat.com/errata/RHSA-2018:1461 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Via RHSA-2018:1459 https://access.redhat.com/errata/RHSA-2018:1459 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2018:1460 https://access.redhat.com/errata/RHSA-2018:1460 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2018:1461 https://access.redhat.com/errata/RHSA-2018:1461 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2018:1460 https://access.redhat.com/errata/RHSA-2018:1460 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2018:1460 https://access.redhat.com/errata/RHSA-2018:1460 This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1524 https://access.redhat.com/errata/RHSA-2018:1524 Statement: Red Hat has been made aware of a vulnerability affecting the DHCP client packages as shipped with Red Hat Enterprise Linux 6 and 7. This vulnerability CVE-2018-1111 was rated as having a security impact of Critical. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. Red Hat Enterprise Virtualization 4.1 includes the vulnerable components, but the default configuration is not impacted because NetworkManager is turned off in the Management Appliance, and not used in conjunction with DHCP in the Hypervisor. Customers can still obtain the updated packages from Red Hat Enterprise Linux channels using `yum update`, or upgrade to Red Hat Enterprise Virtualization 4.2, which includes the fixed packages. Red Hat Enterprise Virtualization 3.6 is not vulnerable as it does not use DHCP. This issue has been addressed in the following products: Red Hat Virtualization 4 Management Appliance Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525 ISC, upstream for the ISC DHCP client and server implementation that is used in Red Hat Enterprise Linux, issued a statement confirming that this issue does not affect upstream packages, as the flaw is in the additional NetworkManager integration script that was written for use in Fedora and Red Hat Enterprise Linux: https://lists.isc.org/pipermail/dhcp-users/2018-May/021250.html |