cbcvebase.
CVE-2011-2717
published 2019-11-27

CVE-2011-2717: The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacharacters…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.93%
89.1th percentile
The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.

Affected

4 ranges
VendorProductVersion rangeFixed in
dhcpv6_projectdhcpv6
linuxdhcp6c<= 2011-07-25
redhatenterprise_linux
redhatenterprise_linux

Detection & IOCsextracted from sources · hover to see the quote

  • Malicious DHCP server injects shell metacharacters into a hostname or domain-search option value delivered via a DHCPv6 reply message; monitor dhcp6c processing of DHCP messages for unexpected shell special characters in hostname or domain name fields.
  • Monitor /etc/resolv.conf 'search' option values written by dhcp6c for shell metacharacters or sed-special characters (e.g. '/', '&', '\') that could be exploited by scripts consuming the search value.
  • Alert on shtool sh.echo invocations that use the '%d' construct (domain expansion) in environments where resolv.conf search values are DHCP-controlled, as this is the identified exploitation path for the domain-search vector.
  • Track CVE-2011-0997 (ISC dhclient) detections alongside this CVE; both share the same root cause of unsanitized DHCP option values being passed to system scripts.
  • ·DHCPv6 does not carry a hostname option in replies (unlike DHCPv4); the exploitable field in the DHCPv6 context is the DNS domain-search option written to /etc/resolv.conf, not a hostname field directly.
  • ·Red Hat marked dhcpv6 packages on RHEL 4 and RHEL 5 as 'Will not fix', meaning patched packages were not shipped; deployments on these platforms remain vulnerable unless mitigated at the network layer.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.