CVE-2011-0997
published 2011-04-08CVE-2011-0997: dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
84.29%
99.7th percentile
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | isc-dhcp | < isc-dhcp 4.1.1-P1-16.1 (bookworm) | isc-dhcp 4.1.1-P1-16.1 (bookworm) |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2011-0997 exploits shell metacharacters injected into the DHCP hostname field (option 12); monitor DHCP responses/requests where the hostname value contains shell special characters (e.g. semicolons, backticks, pipes, $(...)) that are passed unsanitized to dhclient-script. ↗
- →The inverse attack vector (CVE-2011-0997 style) can originate from a DHCP client sending a crafted host-name option with shell metacharacters to a vulnerable DHCPD server; inspect DHCP Discover/Request packets for shell metacharacters in the hostname option. ↗
- →Exploitation results in arbitrary command execution with root privileges via dhclient-script; look for unexpected process spawning from dhclient or dhclient-script parent processes. ↗
- →The busybox udhcpc client is also affected by the same class of vulnerability (CVE-2011-2716); DHCP options are passed to external scripts via environment variables without sanitization — monitor for shell metacharacters in any DHCP option set via udhcpc environment. ↗
- ·Affected ISC DHCP versions are 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2; detections should be scoped to these versions. ↗
- ·Red Hat Enterprise Linux busybox udhcpc does not ship an external script that sets the DHCP hostname, so exploitation via udhcpc is not directly applicable on RHEL despite the binary being present. ↗
- ·On Ubuntu 9.10 and higher, the initial patch (USN-1108-1) was not properly applied; a second update (USN-1108-2) was required — ensure the corrected package is installed. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hhcj-97jg-v79c: dhclient in ISC DHCP 3
ghsa_unreviewed·2022-05-13
CVE-2011-0997 [HIGH] CWE-20 GHSA-hhcj-97jg-v79c: dhclient in ISC DHCP 3
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.
OSV
CVE-2011-0997: dhclient in ISC DHCP 3
osv·2011-04-08·CVSS 7.5
CVE-2011-0997 [HIGH] CVE-2011-0997: dhclient in ISC DHCP 3
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.
Ubuntu
DHCP vulnerability
vendor_ubuntu·2011-04-19
CVE-2011-0997 DHCP vulnerability
Title: DHCP vulnerability
Summary: An attacker's DHCP server could send crafted responses to your computer and
cause it to run programs as root.
USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix
the vulnerability was not properly applied on Ubuntu 9.10 and higher. This
update fixes the problem.
Original advisory details:
Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
crafted responses. An attacker could use this flaw with a malicious DHCP
server to execute arbitrary code, resulting in root privilege escalation.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
DHCP vulnerability
vendor_ubuntu·2011-04-11
CVE-2011-0997 DHCP vulnerability
Title: DHCP vulnerability
Summary: An attacker's DHCP server could send crafted responses to your computer
and cause it to run programs as root.
Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
crafted responses. An attacker could use this flaw with a malicious DHCP
server to execute arbitrary code, resulting in root privilege escalation.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
dhclient: insufficient sanitization of certain DHCP response values
vendor_redhat·2011-04-05·CVSS 7.5
CVE-2011-0997 [HIGH] CWE-78 dhclient: insufficient sanitization of certain DHCP response values
dhclient: insufficient sanitization of certain DHCP response values
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.
Debian
CVE-2011-0997: isc-dhcp - dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV...
vendor_debian·2011·CVSS 7.5
CVE-2011-0997 [HIGH] CVE-2011-0997: isc-dhcp - dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV...
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.
Scope: local
bookworm: resolved (fixed in 4.1.1-P1-16.1)
bullseye: resolved (fixed in 4.1.1-P1-16.1)
sid: resolved (fixed in 4.1.1-P1-16.1)
trixie: resolved (fixed in 4.1.1-P1-16.1)
No detection rules found.
Bugzilla
CVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options
bugzilla·2011-07-25·CVSS 7.5
CVE-2011-2716 [HIGH] CVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options
CVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options
A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients. This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters. Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted.
This issue was tracked in bug #689832 for ISC dhclient (CVE-2011-0997), which also discussed few other affected clients. This bug is created to track busybox's udhcpc separately.
Upstream bug report:
https://bugs.busybox.net/show_bug.cgi?id=3979
The busybox version in Red Hat Enterprise Linux 4 is not compiled with support for udhcpc. Version shipped with Red Hat Enter
Bugzilla
CVE-2011-2717 dhcpv6: insufficient checking of DHCP options
bugzilla·2011-07-25·CVSS 7.5
CVE-2011-2717 [HIGH] CVE-2011-2717 dhcpv6: insufficient checking of DHCP options
CVE-2011-2717 dhcpv6: insufficient checking of DHCP options
A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients. This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters. Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted.
This issue was tracked in bug #689832 for ISC dhclient (CVE-2011-0997), which also discussed few other affected clients. This bug is created to track dhcpv6 separately.
The impact for DHCPv6 clients is significantly lower than impact for DHCPv4 clients, as DHCPv6 does not allow passing hostname in the DHCP reply. DNS domain name search is provided in the DHCPv6 replies.
Discu
Bugzilla
CVE-2011-0997 dhclient: insufficient sanitization of certain DHCP response values [fedora-all]
bugzilla·2011-04-06·CVSS 7.5
CVE-2011-0997 [HIGH] CVE-2011-0997 dhclient: insufficient sanitization of certain DHCP response values [fedora-all]
CVE-2011-0997 dhclient: insufficient sanitization of certain DHCP response values [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=689832
Please note: this is
Bugzilla
CVE-2011-0997 dhclient: insufficient sanitization of certain DHCP response values
bugzilla·2011-03-22·CVSS 7.5
CVE-2011-0997 [HIGH] CVE-2011-0997 dhclient: insufficient sanitization of certain DHCP response values
CVE-2011-0997 dhclient: insufficient sanitization of certain DHCP response values
Sebastian Krahmer of the SUSE security team noticed that DHCP clients fail to sanitize certain values supplied by DHCP servers during the DHCP communication. The example of such value is hostname configured on the DHCP client. Various scripts assume hostname is trusted and do not sufficiently escape or quote it. Malicious DHCP server can use this to execute arbitrary code on the DHCP client by supplying a specially-crafted hostname.
Acknowledgement:
Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue.
Discussion:
Created attachment 486815
Proposed patch for ISC dhclient
Created by Marius Tomaschewski of SUSE.
---
Created attachment 486816
Proposed patch for
arXiv
Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses
arxiv_fulltext·2020-06-26
Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses
[Cleaning the NVD]Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses
Afsah Anwar
University of Central Florida
[email protected]
Ahmed Abusnaina
University of Central Florida
[email protected]
Songqing Chen
George Mason University
[email protected]
Frank Li
Georgia Institute of Technology
[email protected]
David Mohaisen
University of Central Florida
[email protected]
## Abstract
Vulnerability databases are vital sources of information on emergent software security concerns. Security professionals, from system administrators to developers to researchers, heavily depend on these databases to track vulnerabilities and analyze security trends. How reliable and accurate are these databases though?
In this paper, we explore this questio
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057888.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058279.htmlhttp://marc.info/?l=bugtraq&m=133226187115472&w=2http://secunia.com/advisories/44037http://secunia.com/advisories/44048http://secunia.com/advisories/44089http://secunia.com/advisories/44090http://secunia.com/advisories/44103http://secunia.com/advisories/44127http://secunia.com/advisories/44180http://security.gentoo.org/glsa/glsa-201301-06.xmlhttp://securitytracker.com/id?1025300http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.593345http://www.debian.org/security/2011/dsa-2216http://www.debian.org/security/2011/dsa-2217http://www.kb.cert.org/vuls/id/107886http://www.mandriva.com/security/advisories?name=MDVSA-2011:073http://www.osvdb.org/71493http://www.redhat.com/support/errata/RHSA-2011-0428.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0840.htmlhttp://www.securityfocus.com/bid/47176http://www.ubuntu.com/usn/USN-1108-1http://www.vupen.com/english/advisories/2011/0879http://www.vupen.com/english/advisories/2011/0886http://www.vupen.com/english/advisories/2011/0909http://www.vupen.com/english/advisories/2011/0915http://www.vupen.com/english/advisories/2011/0926http://www.vupen.com/english/advisories/2011/0965http://www.vupen.com/english/advisories/2011/1000https://bugzilla.redhat.com/show_bug.cgi?id=689832https://exchange.xforce.ibmcloud.com/vulnerabilities/66580https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12812https://www.exploit-db.com/exploits/37623/https://www.isc.org/software/dhcp/advisories/cve-2011-0997http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057888.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058279.htmlhttp://marc.info/?l=bugtraq&m=133226187115472&w=2http://secunia.com/advisories/44037http://secunia.com/advisories/44048http://secunia.com/advisories/44089http://secunia.com/advisories/44090http://secunia.com/advisories/44103http://secunia.com/advisories/44127http://secunia.com/advisories/44180http://security.gentoo.org/glsa/glsa-201301-06.xmlhttp://securitytracker.com/id?1025300http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.593345http://www.debian.org/security/2011/dsa-2216http://www.debian.org/security/2011/dsa-2217http://www.kb.cert.org/vuls/id/107886http://www.mandriva.com/security/advisories?name=MDVSA-2011:073http://www.osvdb.org/71493http://www.redhat.com/support/errata/RHSA-2011-0428.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0840.htmlhttp://www.securityfocus.com/bid/47176http://www.ubuntu.com/usn/USN-1108-1http://www.vupen.com/english/advisories/2011/0879http://www.vupen.com/english/advisories/2011/0886http://www.vupen.com/english/advisories/2011/0909http://www.vupen.com/english/advisories/2011/0915http://www.vupen.com/english/advisories/2011/0926http://www.vupen.com/english/advisories/2011/0965http://www.vupen.com/english/advisories/2011/1000https://bugzilla.redhat.com/show_bug.cgi?id=689832https://exchange.xforce.ibmcloud.com/vulnerabilities/66580https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12812https://www.exploit-db.com/exploits/37623/https://www.isc.org/software/dhcp/advisories/cve-2011-0997
2011-04-08
Published