CVE-2011-1930
published 2019-11-14CVE-2011-1930: In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
20.53%
97.2th percentile
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | klibc | < klibc 1.5.22-1 (bookworm) | klibc 1.5.22-1 (bookworm) |
| klibc | klibc | — | — |
| klibc | klibc | — | — |
| klibc_project | klibc | < 1.5.25 | 1.5.25 |
| klibc_project | klibc | >= 0 < 1.5.22-1 | 1.5.22-1 |
| klibc_project | klibc | >= 0 < 1.5.22-1 | 1.5.22-1 |
| klibc_project | klibc | >= 0 < 1.5.22-1 | 1.5.22-1 |
| klibc_project | klibc | >= 0 < 1.5.22-1 | 1.5.22-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect DHCP reply payloads for shell metacharacters (e.g., $(), \", backticks) in DHCP options such as DNSDOMAIN, as these are injected into /tmp/net-$DEVICE.conf and sourced by shell scripts ↗
- →Alert on any process sourcing /tmp/net-*.conf files that spawns unexpected child processes, as exploitation causes arbitrary shell command execution with the privileges of the sourcing process ↗
- ·Vulnerability affects klibc versions 1.5.20 and 1.5.21 only; version 1.5.22 and later contain the fix. Ensure detection rules are scoped to systems running vulnerable klibc versions. ↗
- ·Exploitation requires that a process on the victim system sources the DHCP-written config file (/tmp/net-$DEVICE.conf); impact is limited to the privilege level of that sourcing process. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h949-qrpv-p29v: In klibc 1
ghsa_unreviewed·2022-04-22
CVE-2011-1930 [CRITICAL] GHSA-h949-qrpv-p29v: In klibc 1
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
OSV
CVE-2011-1930: In klibc 1
osv·2019-11-14·CVSS 9.8
CVE-2011-1930 [CRITICAL] CVE-2011-1930: In klibc 1
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
Debian
CVE-2011-1930: klibc - In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DE...
vendor_debian·2011·CVSS 9.8
CVE-2011-1930 [CRITICAL] CVE-2011-1930: klibc - In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DE...
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
Scope: local
bookworm: resolved (fixed in 1.5.22-1)
bullseye: resolved (fixed in 1.5.22-1)
forky: resolved (fixed in 1.5.22-1)
sid: resolved (fixed in 1.5.22-1)
trixie: resolved (fixed in 1.5.22-1)
No detection rules found.
No writeups or analysis indexed.
http://security.gentoo.org/glsa/glsa-201309-21.xmlhttp://www.openwall.com/lists/oss-security/2012/05/22/12http://www.securityfocus.com/bid/47924https://access.redhat.com/security/cve/cve-2011-1930https://security-tracker.debian.org/tracker/CVE-2011-1930http://security.gentoo.org/glsa/glsa-201309-21.xmlhttp://www.openwall.com/lists/oss-security/2012/05/22/12http://www.securityfocus.com/bid/47924https://access.redhat.com/security/cve/cve-2011-1930https://security-tracker.debian.org/tracker/CVE-2011-1930
2019-11-14
Published