cbcvebase.
CVE-2011-0997
published 2011-04-08

CVE-2011-0997: dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary…

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
84.29%
99.7th percentile
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.

Affected

24 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianisc-dhcp< isc-dhcp 4.1.1-P1-16.1 (bookworm)isc-dhcp 4.1.1-P1-16.1 (bookworm)
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp

Detection & IOCsextracted from sources · hover to see the quote

commandsend host-name ";/sbin/reboot";
  • CVE-2011-0997 exploits shell metacharacters injected into the DHCP hostname field (option 12); monitor DHCP responses/requests where the hostname value contains shell special characters (e.g. semicolons, backticks, pipes, $(...)) that are passed unsanitized to dhclient-script.
  • The inverse attack vector (CVE-2011-0997 style) can originate from a DHCP client sending a crafted host-name option with shell metacharacters to a vulnerable DHCPD server; inspect DHCP Discover/Request packets for shell metacharacters in the hostname option.
  • Exploitation results in arbitrary command execution with root privileges via dhclient-script; look for unexpected process spawning from dhclient or dhclient-script parent processes.
  • The busybox udhcpc client is also affected by the same class of vulnerability (CVE-2011-2716); DHCP options are passed to external scripts via environment variables without sanitization — monitor for shell metacharacters in any DHCP option set via udhcpc environment.
  • ·Affected ISC DHCP versions are 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2; detections should be scoped to these versions.
  • ·Red Hat Enterprise Linux busybox udhcpc does not ship an external script that sets the DHCP hostname, so exploitation via udhcpc is not directly applicable on RHEL despite the binary being present.
  • ·On Ubuntu 9.10 and higher, the initial patch (USN-1108-1) was not properly applied; a second update (USN-1108-2) was required — ensure the corrected package is installed.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.