Bug 1567974 (CVE-2018-1111) - CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
Summary: CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client Networ...
Status: CLOSED ERRATA
Alias: CVE-2018-1111
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20180515:1200,...
Keywords: Security
Depends On: 1570894 1570895 1570896 1570897 1570898 1570899 1570900 1571949 1571950 1571951 1571952 1572194 1574837 1578362 1578363
Blocks: 1567979
TreeView+ depends on / blocked
 
Reported: 2018-04-16 13:57 UTC by Adam Mariš
Modified: 2019-05-16 08:17 UTC (History)
28 users (show)

(edit)
A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
Clone Of:
(edit)
Last Closed: 2018-05-17 08:21:07 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1453 None None None 2018-05-15 15:01 UTC
Red Hat Product Errata RHSA-2018:1454 None None None 2018-05-15 15:02 UTC
Red Hat Product Errata RHSA-2018:1455 None None None 2018-05-15 15:01 UTC
Red Hat Product Errata RHSA-2018:1456 None None None 2018-05-15 15:01 UTC
Red Hat Product Errata RHSA-2018:1457 None None None 2018-05-15 15:02 UTC
Red Hat Product Errata RHSA-2018:1458 normal SHIPPED_LIVE Critical: dhcp security update 2018-05-15 19:07:51 UTC
Red Hat Product Errata RHSA-2018:1459 None None None 2018-05-15 15:02 UTC
Red Hat Product Errata RHSA-2018:1460 None None None 2018-05-15 15:05 UTC
Red Hat Product Errata RHSA-2018:1461 None None None 2018-05-15 15:03 UTC
Red Hat Product Errata RHSA-2018:1524 None None None 2018-05-15 17:40 UTC

Description Adam Mariš 2018-04-16 13:57:43 UTC
A command injection vulnerability was found in 11-dhclient script provided by dhcp-client located in /etc/NetworkManager/dispatcher.d/11-dhclient. Attacker in local network who is able to spoof DHCP responses or malicious DHCP server can execute arbitrary commands run with root privileges on client system by exploiting this vulnerability.

Comment 1 Adam Mariš 2018-04-16 13:57:46 UTC
Acknowledgments:

Name: Felix Wilhelm (Google Security Team)

Comment 22 Richard Maciel Costa 2018-05-14 14:06:52 UTC
Mitigation:

Please access https://access.redhat.com/security/vulnerabilities/3442151 for information on how to mitigate this issue.

Comment 23 Yogendra Jog 2018-05-14 15:58:59 UTC
External References:

https://access.redhat.com/security/vulnerabilities/3442151

Comment 26 Tomas Hoger 2018-05-15 07:15:47 UTC
(In reply to Adam Mariš from comment #0)
> A command injection vulnerability was found in 11-dhclient script provided
> by dhcp-client located in /etc/NetworkManager/dispatcher.d/11-dhclient.

The script and package name slightly differs between Red Hat Enterprise Linux and Fedora versions:

- In Red Hat Enterprise Linux 6, the script is included in the dhclient package and is located in /etc/NetworkManager/dispatcher.d/10-dhclient

- In Red Hat Enterprise Linux 7, the script is included in the dhclient package and is located in /etc/NetworkManager/dispatcher.d/11-dhclient

- In the current Fedora versions, the script is included in the dhcp-client package and is located in /etc/NetworkManager/dispatcher.d/11-dhclient

The DHCP client package was renamed from dhclient to dhcp-client in Fedora 22:

https://src.fedoraproject.org/cgit/rpms/dhcp.git/commit/?id=a0d47e7ac135c54863cb164adb811443f676aa17

Comment 27 Richard Maciel Costa 2018-05-15 12:03:18 UTC
Created dhcp tracking bugs for this issue:

Affects: fedora-all [bug 1578362]

Comment 29 errata-xmlrpc 2018-05-15 15:01:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1453 https://access.redhat.com/errata/RHSA-2018:1453

Comment 30 errata-xmlrpc 2018-05-15 15:01:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1454 https://access.redhat.com/errata/RHSA-2018:1454

Comment 31 errata-xmlrpc 2018-05-15 15:01:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:1455 https://access.redhat.com/errata/RHSA-2018:1455

Comment 32 errata-xmlrpc 2018-05-15 15:01:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1454 https://access.redhat.com/errata/RHSA-2018:1454

Comment 33 errata-xmlrpc 2018-05-15 15:01:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2018:1456 https://access.redhat.com/errata/RHSA-2018:1456

Comment 34 errata-xmlrpc 2018-05-15 15:01:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:1458 https://access.redhat.com/errata/RHSA-2018:1458

Comment 35 errata-xmlrpc 2018-05-15 15:02:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1454 https://access.redhat.com/errata/RHSA-2018:1454

Comment 36 errata-xmlrpc 2018-05-15 15:02:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2018:1457 https://access.redhat.com/errata/RHSA-2018:1457

Comment 37 errata-xmlrpc 2018-05-15 15:02:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:1460 https://access.redhat.com/errata/RHSA-2018:1460

Comment 38 errata-xmlrpc 2018-05-15 15:02:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2018:1461 https://access.redhat.com/errata/RHSA-2018:1461

Comment 39 errata-xmlrpc 2018-05-15 15:02:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:1459 https://access.redhat.com/errata/RHSA-2018:1459

Comment 40 errata-xmlrpc 2018-05-15 15:02:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:1460 https://access.redhat.com/errata/RHSA-2018:1460

Comment 41 errata-xmlrpc 2018-05-15 15:03:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2018:1461 https://access.redhat.com/errata/RHSA-2018:1461

Comment 42 errata-xmlrpc 2018-05-15 15:03:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:1460 https://access.redhat.com/errata/RHSA-2018:1460

Comment 43 errata-xmlrpc 2018-05-15 15:05:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:1460 https://access.redhat.com/errata/RHSA-2018:1460

Comment 44 errata-xmlrpc 2018-05-15 17:40:48 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1524 https://access.redhat.com/errata/RHSA-2018:1524

Comment 47 Doran Moppert 2018-05-16 10:09:55 UTC
Statement:

Red Hat has been made aware of a vulnerability affecting the DHCP client packages as shipped with Red Hat Enterprise Linux 6 and 7. This vulnerability CVE-2018-1111 was rated as having a security impact of Critical. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

Red Hat Enterprise Virtualization 4.1 includes the vulnerable components, but the default configuration is not impacted because NetworkManager is turned off in the Management Appliance, and not used in conjunction with DHCP in the Hypervisor. Customers can still obtain the updated packages from Red Hat Enterprise Linux channels using `yum update`, or upgrade to Red Hat Enterprise Virtualization 4.2, which includes the fixed packages.

Red Hat Enterprise Virtualization 3.6 is not vulnerable as it does not use DHCP.

Comment 48 Doran Moppert 2018-05-16 11:20:03 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 Management Appliance

Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525

Comment 49 Tomas Hoger 2018-05-17 08:04:13 UTC
ISC, upstream for the ISC DHCP client and server implementation that is used in Red Hat Enterprise Linux, issued a statement confirming that this issue does not affect upstream packages, as the flaw is in the additional NetworkManager integration script that was written for use in Fedora and Red Hat Enterprise Linux:

https://lists.isc.org/pipermail/dhcp-users/2018-May/021250.html


Note You need to log in before you can comment on or make changes to this bug.