Vulnerabilities > CVE-2018-1111 - Command Injection vulnerability in multiple products
Attack vector
ADJACENT_NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Cause Web Server Misclassification An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.
- LDAP Injection An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- File System Function Injection, Content Based An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
Exploit-Db
description DynoRoot DHCP Client - Command Injection. CVE-2018-1111. Local exploit for Linux platform file exploits/linux/local/44652.py id EDB-ID:44652 last seen 2018-05-24 modified 2018-05-18 platform linux port published 2018-05-18 reporter Exploit-DB source https://www.exploit-db.com/download/44652/ title DynoRoot DHCP Client - Command Injection type local description DHCP Client - Command Injection (DynoRoot) (Metasploit). CVE-2018-1111. Remote exploit for Linux platform. Tags: Metasploit Framework (MSF), Remote file exploits/linux/remote/44890.rb id EDB-ID:44890 last seen 2018-06-13 modified 2018-06-13 platform linux port published 2018-06-13 reporter Exploit-DB source https://www.exploit-db.com/download/44890/ title DHCP Client - Command Injection (DynoRoot) (Metasploit) type remote
Metasploit
| description | This module exploits the DynoRoot vulnerability, a flaw in how the NetworkManager integration script included in the DHCP client in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier processes DHCP options. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. |
| id | MSF:EXPLOIT/UNIX/DHCP/RHEL_DHCP_CLIENT_COMMAND_INJECTION |
| last seen | 2020-06-13 |
| modified | 2018-08-27 |
| published | 2018-05-18 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb |
| title | DHCP Client Command Injection (DynoRoot) |
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-1454.NASL description From Red Hat Security Advisory 2018:1454 : An update for dhcp is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109827 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109827 title Oracle Linux 6 : dhcp (ELSA-2018-1454) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:1454 and # Oracle Linux Security Advisory ELSA-2018-1454 respectively. # include("compat.inc"); if (description) { script_id(109827); script_version("1.10"); script_cvs_date("Date: 2019/09/27 13:00:38"); script_cve_id("CVE-2018-1111"); script_xref(name:"RHSA", value:"2018:1454"); script_xref(name:"IAVA", value:"2018-A-0162"); script_name(english:"Oracle Linux 6 : dhcp (ELSA-2018-1454)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2018:1454 : An update for dhcp is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2018-May/007730.html" ); script_set_attribute(attribute:"solution", value:"Update the affected dhcp packages."); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'DHCP Client Command Injection (DynoRoot)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dhclient"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dhcp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dhcp-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dhcp-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/17"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/16"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"dhclient-4.1.1-53.P1.0.1.el6_9.4")) flag++; if (rpm_check(release:"EL6", reference:"dhcp-4.1.1-53.P1.0.1.el6_9.4")) flag++; if (rpm_check(release:"EL6", reference:"dhcp-common-4.1.1-53.P1.0.1.el6_9.4")) flag++; if (rpm_check(release:"EL6", reference:"dhcp-devel-4.1.1-53.P1.0.1.el6_9.4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dhclient / dhcp / dhcp-common / dhcp-devel"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1457.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco Extended Update Support, and Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109843 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109843 title RHEL 7 : dhcp (RHSA-2018:1457) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:1457. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(109843); script_version("1.14"); script_cvs_date("Date: 2019/10/24 15:35:44"); script_cve_id("CVE-2018-1111"); script_xref(name:"RHSA", value:"2018:1457"); script_xref(name:"IAVA", value:"2018-A-0162"); script_name(english:"RHEL 7 : dhcp (RHSA-2018:1457)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for dhcp is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco Extended Update Support, and Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/vulnerabilities/3442151" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:1457" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-1111" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'DHCP Client Command Injection (DynoRoot)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dhclient"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dhcp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dhcp-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dhcp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dhcp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dhcp-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/17"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/16"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7\.2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.2", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:1457"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", sp:"2", cpu:"x86_64", reference:"dhclient-4.2.5-42.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", sp:"2", cpu:"x86_64", reference:"dhcp-4.2.5-42.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", sp:"2", cpu:"x86_64", reference:"dhcp-common-4.2.5-42.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", sp:"2", cpu:"i686", reference:"dhcp-debuginfo-4.2.5-42.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", sp:"2", cpu:"x86_64", reference:"dhcp-debuginfo-4.2.5-42.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", sp:"2", cpu:"i686", reference:"dhcp-devel-4.2.5-42.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", sp:"2", cpu:"x86_64", reference:"dhcp-devel-4.2.5-42.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", sp:"2", cpu:"i686", reference:"dhcp-libs-4.2.5-42.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", sp:"2", cpu:"x86_64", reference:"dhcp-libs-4.2.5-42.el7_2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dhclient / dhcp / dhcp-common / dhcp-debuginfo / dhcp-devel / etc"); } }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-1453.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109814 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109814 title CentOS 7 : dhcp (CESA-2018:1453) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:1453 and # CentOS Errata and Security Advisory 2018:1453 respectively. # include("compat.inc"); if (description) { script_id(109814); script_version("1.12"); script_cvs_date("Date: 2019/12/31"); script_cve_id("CVE-2018-1111"); script_xref(name:"RHSA", value:"2018:1453"); script_xref(name:"IAVA", value:"2018-A-0162"); script_name(english:"CentOS 7 : dhcp (CESA-2018:1453)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for dhcp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue." ); # https://lists.centos.org/pipermail/centos-announce/2018-May/022831.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9178ebc5" ); script_set_attribute(attribute:"solution", value:"Update the affected dhcp packages."); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1111"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'DHCP Client Command Injection (DynoRoot)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dhclient"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dhcp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dhcp-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dhcp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dhcp-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/17"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/16"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"dhclient-4.2.5-68.el7.centos.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"dhcp-4.2.5-68.el7.centos.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"dhcp-common-4.2.5-68.el7.centos.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"dhcp-devel-4.2.5-68.el7.centos.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"dhcp-libs-4.2.5-68.el7.centos.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dhclient / dhcp / dhcp-common / dhcp-devel / dhcp-libs"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-1453.NASL description From Red Hat Security Advisory 2018:1453 : An update for dhcp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109826 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109826 title Oracle Linux 7 : dhcp (ELSA-2018-1453) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1459.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support and Red Hat Enterprise Linux 6.6 Telco Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109845 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109845 title RHEL 6 : dhcp (RHSA-2018:1459) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1021.NASL description Command injection vulnerability in the DHCP client NetworkManager integration script : A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Note: Amazon Linux 2 does not use NetworkManager by default, however it is recommended to install this update. last seen 2020-06-01 modified 2020-06-02 plugin id 110194 published 2018-05-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110194 title Amazon Linux 2 : dhcp (ALAS-2018-1021) NASL family Scientific Linux Local Security Checks NASL id SL_20180515_DHCP_ON_SL7_X.NASL description Security Fix(es) : - A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Scientific Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) last seen 2020-03-18 modified 2018-05-16 plugin id 109850 published 2018-05-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109850 title Scientific Linux Security Update : dhcp on SL7.x x86_64 (20180515) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1525.NASL description An update for rhvm-appliance is now available for Red Hat Virtualization 4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. The following packages have been upgraded to a later upstream version: rhvm-appliance (4.2). (BZ#1558801, BZ#1563545) Security Fix(es) : * python-paramiko: Authentication bypass in transport.py (CVE-2018-7750) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) * ovirt-engine: account enumeration through login to web console (CVE-2018-1073) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Chris McCown for reporting CVE-2018-8088. The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat). Enhancement(s) : * Previously, the default memory allotment for the RHV-M Virtual Appliance was always large enough to include support for user additions. In this release, the RHV-M Virtual Appliance includes a swap partition that enables the memory to be increased when required. (BZ#1422982) * Previously, the partitioning scheme for the RHV-M Virtual Appliance included two primary partitions, last seen 2020-06-01 modified 2020-06-02 plugin id 109910 published 2018-05-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109910 title RHEL 7 : Virtualization (RHSA-2018:1525) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0021_DHCP.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has dhcp packages installed that are affected by multiple vulnerabilities: - It was found that the DHCP daemon did not properly clean up closed OMAPI connections in certain cases. A remote attacker able to connect to the OMAPI port could use this flaw to exhaust file descriptors in the DHCP daemon, leading to a denial of service in the OMAPI functionality. (CVE-2017-3144) - A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127178 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127178 title NewStart CGSL CORE 5.04 / MAIN 5.04 : dhcp Multiple Vulnerabilities (NS-SA-2019-0021) NASL family Fedora Local Security Checks NASL id FEDORA_2018-36058ED9F2.NASL description fix for CVE-2018-1111 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-05-16 plugin id 109820 published 2018-05-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109820 title Fedora 27 : 12:dhcp (2018-36058ed9f2) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1454.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109840 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109840 title RHEL 6 : dhcp (RHSA-2018:1454) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0042.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Added oracle-errwarn-message.patch - Resolves: #1570897 - Fix comamnd execution in NM script (CVE-2018-1111) - Resolves: #1550085 - CVE-2018-5733 Avoid reference overflow <[12:4.1.1-53.P1.2 - Resolves: #1550083 - CVE-2018-5732 Avoid options buffer overflow - Resolves: #1063217 - failover hangs with both potential-conflict last seen 2020-06-01 modified 2020-06-02 plugin id 109830 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109830 title OracleVM 3.3 / 3.4 : dhcp (OVMSA-2018-0042) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1458.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109844 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109844 title RHEL 6 : dhcp (RHSA-2018:1458) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1379.NASL description According to the versions of the dhcp packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - It was found that the DHCP daemon did not properly clean up closed OMAPI connections in certain cases. A remote attacker able to connect to the OMAPI port could use this flaw to exhaust file descriptors in the DHCP daemon, leading to a denial of service in the OMAPI functionality.(CVE-2017-3144) - DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.(CVE-2018-1111) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124882 published 2019-05-14 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124882 title EulerOS Virtualization for ARM 64 3.0.1.0 : dhcp (EulerOS-SA-2019-1379) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1123.NASL description According to the versions of the dhcp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.(CVE-2018-1111) - ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.(CVE-2015-8605) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-05-29 plugin id 110127 published 2018-05-29 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110127 title EulerOS 2.0 SP2 : dhcp (EulerOS-SA-2018-1123) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1122.NASL description According to the versions of the dhcp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.(CVE-2018-1111) - ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.(CVE-2015-8605) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-05-29 plugin id 110126 published 2018-05-29 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110126 title EulerOS 2.0 SP1 : dhcp (EulerOS-SA-2018-1122) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1453.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109839 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109839 title RHEL 7 : dhcp (RHSA-2018:1453) NASL family Scientific Linux Local Security Checks NASL id SL_20180515_DHCP_ON_SL6_X.NASL description Security Fix(es) : - A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Scientific Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) last seen 2020-03-18 modified 2018-05-16 plugin id 109849 published 2018-05-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109849 title Scientific Linux Security Update : dhcp on SL6.x i386/x86_64 (20180515) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-1454.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109815 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109815 title CentOS 6 : dhcp (CESA-2018:1454) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1460.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109846 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109846 title RHEL 6 : dhcp (RHSA-2018:1460) NASL family Fedora Local Security Checks NASL id FEDORA_2018-23CA7A6798.NASL description fix for CVE-2018-1111 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120293 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120293 title Fedora 28 : 12:dhcp (2018-23ca7a6798) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1524.NASL description Updated redhat-virtualization-host packages that fix several bugs and add various enhancements are now available. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host last seen 2020-06-01 modified 2020-06-02 plugin id 109909 published 2018-05-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109909 title RHEL 7 : Virtualization (RHSA-2018:1524) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1455.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 7.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109841 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109841 title RHEL 7 : dhcp (RHSA-2018:1455) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0129_DHCP.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has dhcp packages installed that are affected by a vulnerability: - A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127381 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127381 title NewStart CGSL MAIN 4.05 : dhcp Vulnerability (NS-SA-2019-0129) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1456.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 7.3 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109842 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109842 title RHEL 7 : dhcp (RHSA-2018:1456) NASL family Fedora Local Security Checks NASL id FEDORA_2018-5392896132.NASL description fix for CVE-2018-1111 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-05-17 plugin id 109874 published 2018-05-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109874 title Fedora 26 : 12:dhcp (2018-5392896132) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1188.NASL description According to the version of the dhcp packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.(CVE-2018-1111) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-07-03 plugin id 110852 published 2018-07-03 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110852 title EulerOS 2.0 SP3 : dhcp (EulerOS-SA-2018-1188) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1461.NASL description An update for dhcp is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es) : * A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111) Red Hat would like to thank Felix Wilhelm (Google Security Team) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109847 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109847 title RHEL 6 : dhcp (RHSA-2018:1461) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1024.NASL description Command injection vulnerability in the DHCP client NetworkManager integration script A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111 ) Note: As mentioned above, the fix for this issue is in the NetworkManager integration script included with the dhcp package. The severity of this advisory has been lowered to a low as the Amazon Linux AMI does not use NetworkManager. last seen 2020-06-01 modified 2020-06-02 plugin id 110198 published 2018-05-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110198 title Amazon Linux AMI : dhcp (ALAS-2018-1024)
Packetstorm
data source https://packetstormsecurity.com/files/download/147698/dynorootdhcp-exec.txt id PACKETSTORM:147698 last seen 2018-05-19 published 2018-05-18 reporter Kevin Kirsche source https://packetstormsecurity.com/files/147698/DynoRoot-DHCP-Command-Injection.html title DynoRoot DHCP Command Injection data source https://packetstormsecurity.com/files/download/148172/rhel_dhcp_client_command_injection.rb.txt id PACKETSTORM:148172 last seen 2018-06-13 published 2018-06-12 reporter Felix Wilhelm source https://packetstormsecurity.com/files/148172/DHCP-Client-Command-Injection-DynoRoot.html title DHCP Client Command Injection (DynoRoot)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Saint
| bid | 104195 |
| description | Red Hat DHCP client NetworkManager integration script command injection |
| id | misc_dhcpnetman |
| title | redhat_dhcp_client_networkmanager |
| type | client |
Seebug
| bulletinFamily | exploit |
| description | Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol. ### Information The DHCP protocol is used to configure network related information in hosts from a central server. When a host is connected to a network, it can issue DHCP requests to fetch network configuration parameter such as IP address, default router IP, DNS servers, and more. The DHCP client package dhclient provided by Red Hat has a script /etc/NetworkManager/dispatcher.d/11-dhclient (in Red Hat Enterprise Linux 7) or /etc/NetworkManager/dispatcher.d/10-dhclient (in Red Hat Enterprise Linux 6) for the NetworkManager component, which is executed each time NetworkManager receives a DHCP response from a DHCP server. A malicious DHCP response could cause the script to execute arbitrary shell commands with root privileges. ### Impacted Products Red Hat Product Security has rated this issue (CVE-2018-1111) as having a security impact of Critical The following Red Hat product versions are impacted: * Red Hat Enterprise Linux Server 6 * Red Hat Enterprise Linux Server 7 |
| id | SSV:97290 |
| last seen | 2018-06-26 |
| modified | 2018-05-16 |
| published | 2018-05-16 |
| reporter | My Seebug |
| source | https://www.seebug.org/vuldb/ssvid-97290 |
| title | DHCP Client Script Code Execution Vulnerability(CVE-2018-1111) |
The Hacker News
| id | THN:5EF52673FFBE9DE255C1F2F387D2A84B |
| last seen | 2018-05-15 |
| modified | 2018-05-15 |
| published | 2018-05-15 |
| reporter | Mohit Kumar |
| source | https://thehackernews.com/2018/05/linux-dhcp-hacking.html |
| title | Red Hat Linux DHCP Client Found Vulnerable to Command Injection Attacks |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1111
- https://access.redhat.com/security/vulnerabilities/3442151
- https://access.redhat.com/errata/RHSA-2018:1524
- https://access.redhat.com/errata/RHSA-2018:1461
- https://access.redhat.com/errata/RHSA-2018:1460
- https://access.redhat.com/errata/RHSA-2018:1459
- https://access.redhat.com/errata/RHSA-2018:1458
- https://access.redhat.com/errata/RHSA-2018:1457
- https://access.redhat.com/errata/RHSA-2018:1456
- https://access.redhat.com/errata/RHSA-2018:1455
- https://access.redhat.com/errata/RHSA-2018:1454
- https://access.redhat.com/errata/RHSA-2018:1453
- http://www.securitytracker.com/id/1040912
- https://www.exploit-db.com/exploits/44652/
- http://www.securityfocus.com/bid/104195
- https://www.exploit-db.com/exploits/44890/
- https://www.tenable.com/security/tns-2018-10
- https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CDCLLCHYFFXW354HMB5QBXOQOY5BH2EJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IDJA4QRR74TMXW34Q3DYYFPVBYRTJBI7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMTTB54QNTPD2SK6UL32EVQHMZP6BUUD/