CVE-2011-2717
published 2019-11-27CVE-2011-2717: The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacharacters…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.93%
89.1th percentile
The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dhcpv6_project | dhcpv6 | — | — |
| linux | dhcp6c | <= 2011-07-25 | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious DHCP server injects shell metacharacters into a hostname or domain-search option value delivered via a DHCPv6 reply message; monitor dhcp6c processing of DHCP messages for unexpected shell special characters in hostname or domain name fields. ↗
- →Monitor /etc/resolv.conf 'search' option values written by dhcp6c for shell metacharacters or sed-special characters (e.g. '/', '&', '\') that could be exploited by scripts consuming the search value. ↗
- →Alert on shtool sh.echo invocations that use the '%d' construct (domain expansion) in environments where resolv.conf search values are DHCP-controlled, as this is the identified exploitation path for the domain-search vector. ↗
- →Track CVE-2011-0997 (ISC dhclient) detections alongside this CVE; both share the same root cause of unsanitized DHCP option values being passed to system scripts. ↗
- ·DHCPv6 does not carry a hostname option in replies (unlike DHCPv4); the exploitable field in the DHCPv6 context is the DNS domain-search option written to /etc/resolv.conf, not a hostname field directly. ↗
- ·Red Hat marked dhcpv6 packages on RHEL 4 and RHEL 5 as 'Will not fix', meaning patched packages were not shipped; deployments on these platforms remain vulnerable unless mitigated at the network layer. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4wfc-527w-m6mj: The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacha
ghsa_unreviewed·2022-04-22
CVE-2011-2717 [CRITICAL] CWE-74 GHSA-4wfc-527w-m6mj: The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacha
The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.
Red Hat
dhcpv6: insufficient checking of DHCP options
vendor_redhat·2011-04-05·CVSS 9.8
CVE-2011-2717 [CRITICAL] dhcpv6: insufficient checking of DHCP options
dhcpv6: insufficient checking of DHCP options
The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.
Package: dhcpv6 (Red Hat Enterprise Linux 4) - Will not fix
Package: dhcpv6 (Red Hat Enterprise Linux 5) - Will not fix
No detection rules found.
No public exploits indexed.
https://access.redhat.com/security/cve/cve-2011-2717https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2717https://vigilance.fr/vulnerability/dhcp6c-shell-command-injection-10869https://www.openwall.com/lists/oss-security/2011/07/26/9https://access.redhat.com/security/cve/cve-2011-2717https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2717https://vigilance.fr/vulnerability/dhcp6c-shell-command-injection-10869https://www.openwall.com/lists/oss-security/2011/07/26/9
2019-11-27
Published