Bug 725349 (CVE-2011-2717)

Summary: CVE-2011-2717 dhcpv6: insufficient checking of DHCP options
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dcantrell, jpopelka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-06 11:58:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 722974    

Description Tomas Hoger 2011-07-25 09:23:45 UTC
A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients.  This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters.  Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted.

This issue was tracked in bug #689832 for ISC dhclient (CVE-2011-0997), which also discussed few other affected clients.  This bug is created to track dhcpv6 separately.

The impact for DHCPv6 clients is significantly lower than impact for DHCPv4 clients, as DHCPv6 does not allow passing hostname in the DHCP reply.  DNS domain name search is provided in the DHCPv6 replies.

Comment 1 Tomas Hoger 2011-07-25 10:01:51 UTC
Proposed patch adding check for the domain-search option is attached in the previously mentioned bug #689832:
  https://bugzilla.redhat.com/show_bug.cgi?id=689832#c2

(In reply to comment #0)
> The impact for DHCPv6 clients is significantly lower than impact for DHCPv4
> clients, as DHCPv6 does not allow passing hostname in the DHCP reply.  DNS
> domain name search is provided in the DHCPv6 replies.

There are currently no known good ways to take advantage of the specially-crafted domain name noted as "search" option value in /etc/resolv.conf.  We have inspected various scripts that update resolv.conf file, none of them process existing search value insecurely.

The only problematic use that was identified was in shtool's sh.echo script. This script may possibly use search value as part of the replacement argument to the sed's substitution command.  Special crafted value can result in the sed command execution, which may lead to file overwrite or direct code execution (GNU sed).  This would require shtool's echo to be used with "%d" construct to request expansion to host's domain.  Additionally, domain name extracted from hostname (only when '%h' is used too) or domain value from resolv.conf take precedence over the search value.