A command injection vulnerability has been discovered in the Dynamic Host Configuration Protocol (DHCP) client included in Red Hat Enterprise Linux, which would allow a malicious actor capable of setting up a DHCP server or otherwise capable of spoofing DHCP responses on a local network to execute commands with root privileges.
The vulnerability—which is designated as CVE-2018-1111 by Red Hat—was discovered by Google engineer Felix Wilhelm, who noted that the proof-of-exploit code is small enough to fit in a tweet. Red Hat considers it a critical vulnerability, as noted in the bug report, indicating that it can be easily exploited by a remote unauthenticated attacker.
DHCP is used to assign an IP address, DNS servers, and other network configuration attributes to devices on a network. DHCP is used in both wired and wireless networks. Given that the requirements of leveraging this exploit are simply being on the same network, this vulnerability would be particularly concerning on systems likely to be connected to untrusted open Wi-Fi networks, which is more likely to affect Fedora users on laptops.
SEE: Linux distribution comparison chart (Tech Pro Research)
Ultimately, any non-segregated network that allows devices to join without explicit administrator approval—which is arguably the point of enabling DHCP to begin with—is ultimately a risk.
This bug affects RHEL 6.x and 7x, as well as CentOS 6.x and 7.x, and Fedora 26, 27, 28, and Rawhide. Other operating systems built on top of Fedora/RHEL are likely to be affected, including HPE’s ClearOS and Oracle Linux, as well as the recently-discontinued Korora Linux. Because the issue relates to a NetworkManager integration script, it is unlikely to affect Linux distributions that are not related to Fedora or RHEL. RHEL 5 is not affected.
Patching instructions are available for Red Hat users here, and here for Fedora users. Oracle has issued an advisory as well.
The big takeaways for tech leaders:
- A critical vulnerability in DHCP was discovered in RHEL, CentOS, and Fedora, which allows attackers to execute commands as root.
- This issue relates to a NetworkManager integration script, making it unlikely to affect Linux distributions which are not related to Fedora or RHEL.