cbcvebase.
CVE-2011-1930
published 2019-11-14

CVE-2011-1930: In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
20.53%
97.2th percentile
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianklibc< klibc 1.5.22-1 (bookworm)klibc 1.5.22-1 (bookworm)
klibcklibc
klibcklibc
klibc_projectklibc< 1.5.251.5.25
klibc_projectklibc>= 0 < 1.5.22-11.5.22-1
klibc_projectklibc>= 0 < 1.5.22-11.5.22-1
klibc_projectklibc>= 0 < 1.5.22-11.5.22-1
klibc_projectklibc>= 0 < 1.5.22-11.5.22-1

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/net-$DEVICE.conf
commandDNSDOMAIN=\"\"\$(echo owned; touch /tmp/owned)
  • Inspect DHCP reply payloads for shell metacharacters (e.g., $(), \", backticks) in DHCP options such as DNSDOMAIN, as these are injected into /tmp/net-$DEVICE.conf and sourced by shell scripts
  • Alert on any process sourcing /tmp/net-*.conf files that spawns unexpected child processes, as exploitation causes arbitrary shell command execution with the privileges of the sourcing process
  • ·Vulnerability affects klibc versions 1.5.20 and 1.5.21 only; version 1.5.22 and later contain the fix. Ensure detection rules are scoped to systems running vulnerable klibc versions.
  • ·Exploitation requires that a process on the victim system sources the DHCP-written config file (/tmp/net-$DEVICE.conf); impact is limited to the privilege level of that sourcing process.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.