Vulnerabilities > CVE-2011-0997 - Improper Input Validation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 59 | |
| OS | 3 | |
| OS | 5 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Exploit-Db
| id | EDB-ID:37623 |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1108-2.NASL description USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix the vulnerability was not properly applied on Ubuntu 9.10 and higher. This update fixes the problem. Sebastian Krahmer discovered that the dhclient utility incorrectly filtered crafted responses. An attacker could use this flaw with a malicious DHCP server to execute arbitrary code, resulting in root privilege escalation. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 55067 published 2011-06-13 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55067 title Ubuntu 9.10 / 10.04 LTS / 10.10 : dhcp3 vulnerability (USN-1108-2) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-1108-2. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(55067); script_version("1.11"); script_cvs_date("Date: 2019/09/19 12:54:27"); script_cve_id("CVE-2011-0997"); script_bugtraq_id(47176); script_xref(name:"USN", value:"1108-2"); script_name(english:"Ubuntu 9.10 / 10.04 LTS / 10.10 : dhcp3 vulnerability (USN-1108-2)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix the vulnerability was not properly applied on Ubuntu 9.10 and higher. This update fixes the problem. Sebastian Krahmer discovered that the dhclient utility incorrectly filtered crafted responses. An attacker could use this flaw with a malicious DHCP server to execute arbitrary code, resulting in root privilege escalation. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/1108-2/" ); script_set_attribute( attribute:"solution", value:"Update the affected dhcp3-client package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:dhcp3-client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/04/08"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(9\.10|10\.04|10\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 9.10 / 10.04 / 10.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"9.10", pkgname:"dhcp3-client", pkgver:"3.1.2-1ubuntu7.3")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"dhcp3-client", pkgver:"3.1.3-2ubuntu3.2")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"dhcp3-client", pkgver:"3.1.3-2ubuntu6.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dhcp3-client"); }NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2011-097-01.NASL description New dhcp packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 54900 published 2011-05-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54900 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 9.0 / 9.1 / current : dhcp (SSA:2011-097-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2011-097-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(54900); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:21"); script_cve_id("CVE-2011-0997"); script_bugtraq_id(47176); script_xref(name:"SSA", value:"2011-097-01"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 9.0 / 9.1 / current : dhcp (SSA:2011-097-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New dhcp packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.593345 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c953cd80" ); script_set_attribute(attribute:"solution", value:"Update the affected dhcp package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:dhcp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"9.0", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i386", pkgnum:"1_slack9.0")) flag++; if (slackware_check(osver:"9.1", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i486", pkgnum:"1_slack9.1")) flag++; if (slackware_check(osver:"10.0", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++; if (slackware_check(osver:"10.1", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++; if (slackware_check(osver:"10.2", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (slackware_check(osver:"11.0", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++; if (slackware_check(osver:"12.0", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i486", pkgnum:"1_slack12.0")) flag++; if (slackware_check(osver:"12.1", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i486", pkgnum:"1_slack12.1")) flag++; if (slackware_check(osver:"12.2", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i486", pkgnum:"1_slack12.2")) flag++; if (slackware_check(osver:"13.0", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"dhcp", pkgver:"3.1_ESV_R1", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.1", pkgname:"dhcp", pkgver:"4.1_ESV_R2", pkgarch:"i486", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"dhcp", pkgver:"4.1_ESV_R2", pkgarch:"x86_64", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"current", pkgname:"dhcp", pkgver:"4.2.1_P1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"dhcp", pkgver:"4.2.1_P1", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE9_12696.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 53312 published 2011-04-07 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53312 title SuSE9 Security Update : dhcpcd (YOU Patch Number 12696) NASL family SuSE Local Security Checks NASL id SUSE9_12697.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 53636 published 2011-05-04 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53636 title SuSE9 Security Update : dhcp6 (YOU Patch Number 12697) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2217.NASL description Sebastian Krahmer and Marius Tomaschewski discovered that dhclient of dhcp3, a DHCP client, is not properly filtering shell meta-characters in certain options in DHCP server responses. These options are reused in an insecure fashion by dhclient scripts. This allows an attacker to execute arbitrary commands with the privileges of such a process by sending crafted DHCP options to a client using a rogue server. last seen 2020-03-17 modified 2011-04-11 plugin id 53344 published 2011-04-11 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53344 title Debian DSA-2217-1 : dhcp3 - missing input sanitization NASL family SuSE Local Security Checks NASL id SUSE_DHCP6-7465.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 57182 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57182 title SuSE 10 Security Update : dhcp6 (ZYPP Patch Number 7465) NASL family SuSE Local Security Checks NASL id SUSE_11_2_DHCP-110406.NASL description A rogue dhcp server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 53706 published 2011-05-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53706 title openSUSE Security Update : dhcp (openSUSE-SU-2011:0320-1) NASL family SuSE Local Security Checks NASL id SUSE_11_3_DHCPCD-110411.NASL description A rogue dhcp server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 75468 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75468 title openSUSE Security Update : dhcpcd (openSUSE-SU-2011:0352-1) NASL family SuSE Local Security Checks NASL id SUSE9_12698.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 53354 published 2011-04-11 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53354 title SuSE9 Security Update : dhcp (YOU Patch Number 12698) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0010.NASL description a. Service Console update for DHCP The DHCP client daemon, dhclient, does not properly sanatize certain options in DHCP server replies. An attacker could send a specially crafted DHCP server reply, that is saved on the client system and evaluated by a process that assumes the option is trusted. This could lead to arbitrary code execution with the privileges of the evaluating process. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-0997 to this issue. b. Service Console update for glibc This patch updates the glibc package for ESX service console to glibc-2.5-58.7602.vmw. This fixes multiple security issues in glibc, glibc-common and nscd including possible local privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2010-0296, CVE-2011-0536, CVE-2011-1095, CVE-2011-1071, CVE-2011-1658 and CVE-2011-1659 to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 55747 published 2011-08-01 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55747 title VMSA-2011-0010 : VMware ESX third-party updates for Service Console packages glibc and dhcp NASL family SuSE Local Security Checks NASL id SUSE_DHCP-7451.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 57180 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57180 title SuSE 10 Security Update : dhcp (ZYPP Patch Number 7451) NASL family Fedora Local Security Checks NASL id FEDORA_2011-4897.NASL description This is a SECURITY release of ISC DHCP, which fixes one security related bug (CVE-2011-0997) in dhclient. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53396 published 2011-04-13 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53396 title Fedora 14 : dhcp-4.2.0-21.P2.fc14 (2011-4897) NASL family SuSE Local Security Checks NASL id SUSE_DHCP-7456.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 53403 published 2011-04-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53403 title SuSE 10 Security Update : dhcp (ZYPP Patch Number 7456) NASL family SuSE Local Security Checks NASL id SUSE_DHCP-7430.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 57179 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57179 title SuSE 10 Security Update : dhcp (ZYPP Patch Number 7430) NASL family Scientific Linux Local Security Checks NASL id SL_20110408_DHCP_ON_SL4_X.NASL description It was discovered that the DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option last seen 2020-06-01 modified 2020-06-02 plugin id 61014 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61014 title Scientific Linux Security Update : dhcp on SL4.x,SL5.x,SL6.x i386/x86_64 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1108-1.NASL description Sebastian Krahmer discovered that the dhclient utility incorrectly filtered crafted responses. An attacker could use this flaw with a malicious DHCP server to execute arbitrary code, resulting in root privilege escalation. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53372 published 2011-04-12 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53372 title Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : dhcp3 vulnerability (USN-1108-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201301-06.NASL description The remote host is affected by the vulnerability described in GLSA-201301-06 (ISC DHCP: Denial of Service) Multiple vulnerabilities have been discovered in ISC DHCP. Please review the CVE identifiers referenced below for details. Impact : The vulnerabilities might allow remote attackers to execute arbitrary code or cause a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 63440 published 2013-01-09 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63440 title GLSA-201301-06 : ISC DHCP: Denial of Service NASL family Misc. NASL id AIRPORT_FIRMWARE_7_6.NASL description According to the firmware version collected via SNMP, the copy of dhclient-script included with the remote Apple Time Capsule / AirPort Express Base Station / AirPort Extreme Base Station reportedly fails to strip shell meta-characters in a hostname obtained from a DHCP response. A remote attacker might be able to leverage this vulnerability to execute arbitrary code on the affected device. last seen 2020-06-01 modified 2020-06-02 plugin id 56855 published 2011-11-16 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56855 title Apple Time Capsule and AirPort Base Station (802.11n) Firmware < 7.6 (APPLE-SA-2011-11-10-2) NASL family Fedora Local Security Checks NASL id FEDORA_2011-10705.NASL description This update fixes a pair of defects that could cause the server to halt upon processing certain packets. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56096 published 2011-09-07 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56096 title Fedora 14 : dhcp-4.2.0-23.P2.fc14 (2011-10705) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL13219.NASL description The ISC Dynamic Host Configuration Protocol (DHCP) client, dhclient ,in versions 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands by way of shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script. last seen 2020-06-01 modified 2020-06-02 plugin id 78132 published 2014-10-10 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78132 title F5 Networks BIG-IP : DHCP Client vulnerability (SOL13219) NASL family SuSE Local Security Checks NASL id SUSE_11_4_DHCP-110406.NASL description A rogue dhcp server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 75813 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75813 title openSUSE Security Update : dhcp (openSUSE-SU-2011:0321-1) NASL family SuSE Local Security Checks NASL id SUSE_11_DHCPV6-110401.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 53402 published 2011-04-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53402 title SuSE 11.1 Security Update : dhcpv6 (SAT Patch Number 4317) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2216.NASL description Sebastian Krahmer and Marius Tomaschewski discovered that dhclient of isc-dhcp, a DHCP client, is not properly filtering shell meta-characters in certain options in DHCP server responses. These options are reused in an insecure fashion by dhclient scripts. This allows an attacker to execute arbitrary commands with the privileges of such a process by sending crafted DHCP options to a client using a rogue server. last seen 2020-03-17 modified 2011-04-11 plugin id 53343 published 2011-04-11 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53343 title Debian DSA-2216-1 : isc-dhcp - missing input sanitization NASL family SuSE Local Security Checks NASL id SUSE9_12699.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 53355 published 2011-04-11 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53355 title SuSE9 Security Update : dhcpcd (YOU Patch Number 12699) NASL family Fedora Local Security Checks NASL id FEDORA_2011-0848.NASL description This is a SECURITY release of ISC DHCP, which fixes two security related bugs: CVE-2011-0413: DHCPv6 server CVE-2011-0997: dhclient Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53478 published 2011-04-19 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53478 title Fedora 13 : dhcp-4.1.2-4.ESV.R2.fc13 (2011-0848) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-073.NASL description A vulnerability has been found and corrected in ISC DHCP : dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message (CVE-2011-0997). Additionally for Corporate Server 4 and Enterprise Server 5 ISC DHCP has been upgraded from the 3.0.7 version to the 4.1.2-P1 version which brings many enhancements such as better ipv6 support. Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149 products_id=490 The updated packages have upgraded to the 4.1.2-P1 version and patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 53369 published 2011-04-12 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53369 title Mandriva Linux Security Advisory : dhcp (MDVSA-2011:073) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2011-0428.NASL description Updated dhcp packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. It was discovered that the DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option last seen 2020-06-01 modified 2020-06-02 plugin id 53339 published 2011-04-11 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53339 title CentOS 4 / 5 : dhcp (CESA-2011:0428) NASL family Fedora Local Security Checks NASL id FEDORA_2011-4934.NASL description This is a SECURITY release of ISC DHCP, which fixes one security related bug (CVE-2011-0997) in dhclient. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53454 published 2011-04-18 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53454 title Fedora 15 : dhcp-4.2.1-4.P1.fc15 (2011-4934) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0058.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - exit(2) after sending DHCPDECLINE when dhclient has been started with last seen 2020-06-01 modified 2020-06-02 plugin id 91742 published 2016-06-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91742 title OracleVM 3.2 : dhcp (OVMSA-2016-0058) NASL family Misc. NASL id VMWARE_VMSA-2011-0010_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including arbitrary code execution vulnerabilities, in several third-party components and libraries : - DHCP - glibc last seen 2020-06-01 modified 2020-06-02 plugin id 89679 published 2016-03-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89679 title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0010) (remote check) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-0428.NASL description From Red Hat Security Advisory 2011:0428 : Updated dhcp packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. It was discovered that the DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option last seen 2020-06-01 modified 2020-06-02 plugin id 68251 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68251 title Oracle Linux 4 / 5 / 6 : dhcp (ELSA-2011-0428) NASL family SuSE Local Security Checks NASL id SUSE_11_3_DHCP-110406.NASL description A rogue dhcp server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 75465 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75465 title openSUSE Security Update : dhcp (openSUSE-SU-2011:0320-1) NASL family SuSE Local Security Checks NASL id SUSE_11_DHCP-110407.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 53356 published 2011-04-11 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53356 title SuSE 11.1 Security Update : dhcp (SAT Patch Number 4315) NASL family SuSE Local Security Checks NASL id SUSE_DHCP6-7464.NASL description A rogue DHCP server could instruct clients to use a host name that contains shell meta characters. Since many scripts in the system do not expect unusal characters in the system last seen 2020-06-01 modified 2020-06-02 plugin id 53502 published 2011-04-20 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53502 title SuSE 10 Security Update : dhcp6 (ZYPP Patch Number 7464) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_7E69F00D632A11E09F3A001D092480A4.NASL description ISC reports : ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client. last seen 2020-06-01 modified 2020-06-02 plugin id 53346 published 2011-04-11 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53346 title FreeBSD : isc-dhcp-client -- dhclient does not strip or escape shell meta-characters (7e69f00d-632a-11e0-9f3a-001d092480a4) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0428.NASL description Updated dhcp packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. It was discovered that the DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option last seen 2020-06-01 modified 2020-06-02 plugin id 53352 published 2011-04-11 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53352 title RHEL 4 / 5 / 6 : dhcp (RHSA-2011:0428)
Oval
| accepted | 2011-12-05T04:00:08.832-05:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| definition_extensions |
| ||||
| description | dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script. | ||||
| family | unix | ||||
| id | oval:org.mitre.oval:def:12812 | ||||
| status | accepted | ||||
| submitted | 2011-09-06T16:14:19.000-05:00 | ||||
| title | VMSA-2011-0010 VMware ESX third party updates for Service Console packages glibc and dhcp | ||||
| version | 6 |
Packetstorm
data source https://packetstormsecurity.com/files/download/132582/iptimedhcp-exec.txt id PACKETSTORM:132582 last seen 2016-12-05 published 2015-07-06 reporter Pierre Kim source https://packetstormsecurity.com/files/132582/ipTIME-DHCP-Remote-Command-Execution.html title ipTIME DHCP Remote Command Execution data source https://packetstormsecurity.com/files/download/132709/totolink-exec.txt id PACKETSTORM:132709 last seen 2016-12-05 published 2015-07-16 reporter Pierre Kim source https://packetstormsecurity.com/files/132709/15-TOTOLINK-Routers-Remote-Command-Execution.html title 15 TOTOLINK Routers Remote Command Execution
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
- http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057888.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058279.html
- http://marc.info/?l=bugtraq&m=133226187115472&w=2
- http://secunia.com/advisories/44037
- http://secunia.com/advisories/44048
- http://secunia.com/advisories/44089
- http://secunia.com/advisories/44090
- http://secunia.com/advisories/44103
- http://secunia.com/advisories/44127
- http://secunia.com/advisories/44180
- http://security.gentoo.org/glsa/glsa-201301-06.xml
- http://securitytracker.com/id?1025300
- http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.593345
- http://www.debian.org/security/2011/dsa-2216
- http://www.debian.org/security/2011/dsa-2217
- http://www.kb.cert.org/vuls/id/107886
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:073
- http://www.osvdb.org/71493
- http://www.redhat.com/support/errata/RHSA-2011-0428.html
- http://www.redhat.com/support/errata/RHSA-2011-0840.html
- http://www.securityfocus.com/bid/47176
- http://www.ubuntu.com/usn/USN-1108-1
- http://www.vupen.com/english/advisories/2011/0879
- http://www.vupen.com/english/advisories/2011/0886
- http://www.vupen.com/english/advisories/2011/0909
- http://www.vupen.com/english/advisories/2011/0915
- http://www.vupen.com/english/advisories/2011/0926
- http://www.vupen.com/english/advisories/2011/0965
- http://www.vupen.com/english/advisories/2011/1000
- https://bugzilla.redhat.com/show_bug.cgi?id=689832
- https://exchange.xforce.ibmcloud.com/vulnerabilities/66580
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12812
- https://www.exploit-db.com/exploits/37623/
- https://www.isc.org/software/dhcp/advisories/cve-2011-0997