Cve-2018-1111 Red Hat DHCP client vulnerability

Usage and Config Patch
1

https://access.redhat.com/security/cve/cve-2018-1111

This looks awfully nasty

A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

2

One might consider a quick Fixlet to check DHCP on your RHEL 6 and 7 boxes?

Perhaps checking files in
/etc/sysconfig/network-scripts/ifcfg-eth0
for
BOOTPROTO=dhcp

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s1-dhcp-configuring-client

Would that work? Would it be comprehensive?

1 Like
3

I believe a vulnerable system must also have NetworkManager installed and configured. It’s behind a RedHat Subscription Paywall, but there are details on NetworkManager at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/deployment_guide/index#ch-NetworkManager

We can check for NetworkManager via the presence of RPM package “NetworkManager”, and check for a running daemon via

~]# service NetworkManager status
    NetworkManager (pid  1527) is running...

(in my environment we don’t have NetworkManager installed so I cannot verify the command line or what it’s actual process name would be for a Relevance check)

4

try this:

   (names of it,
    pid of it,
    name of user of it|"",
    (pathname of image files of it) | (“no path”) ,
    (version of image files of it) as string | (“no version”) )
    of processes whose (name of it contains “NetworkManager")

-jgo

5

This came across my desk.

(names of it, version of it) of packages whose (version of it < "4.1.1" as version and (name of it contains "Network" or Name of it contains "dhcp")) of rpm

or if you are using this in a fixlet or task:
exists packages whose (version of it < "4.1.1" as version and (name of it contains "Network" or Name of it contains "dhcp")) of rpm

this could be used with an action script like:

wait yum -y update dhcp dhcp-common dhclient dhcp-debuginfo dhcp-level

-jgo

6

Content was released for this CVE back in May, soon after the patches were made available. Search for Errata RHSA-2018:1453 and RHSA-2018:1454 in the console/WebUI.

2 Likes