[11:47 CEST] We are encountering a power outage in Frankfurt data center (FRA-10). This power outage...
DHCP Client Script Code Execution Vulnerability - CVE-2018-1111
Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.
A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.
The DHCP protocol is used to configure network related information in hosts from a central server. When a host is connected to a network, it can issue DHCP requests to fetch network configuration parameter such as IP address, default router IP, DNS servers, and more.
The DHCP client package dhclient provided by Red Hat has a script /etc/NetworkManager/dispatcher.d/11-dhclient (in Red Hat Enterprise Linux 7) or /etc/NetworkManager/dispatcher.d/10-dhclient (in Red Hat Enterprise Linux 6) for the NetworkManager component, which is executed each time NetworkManager receives a DHCP response from a DHCP server. A malicious DHCP response could cause the script to execute arbitrary shell commands with root privileges.
Red Hat would like to thank Felix Wilhelm from the Google Security Team for reporting this flaw.
In DHCP based environments where NetworkManager is used by default, installing updated DHCP packages is strongly recommended.
Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers. Red Hat strongly recommends to update to packages which resolve this issue as soon as possible.
Systems using static IP configuration are not affected by this issue. Systems using dynamic IP configuration from DHCP server that do not use NetworkManager and use initrc scripts are also not affected, as the vulnerable script is not executed.
Red Hat Product Security has rated this issue (CVE-2018-1111) as having a security impact of Critical
The following Red Hat product versions are impacted:
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Server 7
Red Hat Enterprise Virtualization 4.1 Hypervisor and Management Appliance include the vulnerable script, but it is not used; because for RHV-M the NetworkManager service is turned off by default and in the Hypervisor, Network Manager with DHCP is an unsupported configuration. Red Hat Enterprise Virtualization 4.2 includes the updated packages that address this flaw.
OpenShift Container Platform nodes will need to apply updates from the RHEL channels. OpenShift Online nodes are not vulnerable due to the VPC (virtual private cloud) mitigating the flaw.
The upstream dhcp project (http://www.isc.org/downloads/DHCP/) does not provide the impacted script and is not impacted by this flaw.