Vulnerability CVE-2018-1111


Published: 2018-05-17

Description:
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

See advisories in our WLB2 database:
Topic
Author
Date
High
DynoRoot DHCP Command Injection
Kevin Kirsche
21.05.2018
Med.
DHCP Client Command Injection (DynoRoot)
Felix Wilhelm
13.06.2018

Type:

CWE-77

(Improper Neutralization of Special Elements used in a Command ('Command Injection'))

Vendor: Redhat
Product: Enterprise linux 
Version:
7.5
7.4
7.3
7.2
7.0
6.7
6.6
6.5
6.4
6
Product: Enterprise linux desktop 
Version: 7.0; 6.0;
Product: Enterprise linux server 
Version: 7.0; 6.0;
Product: Enterprise linux workstation 
Version: 7.0; 6.0;
Product: Enterprise virtualization 
Version: 4.2; 4.0;
Product: Enterprise virtualization host 
Version: 4.0;
Vendor: Fedoraproject
Product: Fedora 
Version:
28
27
26

CVSS2 => (AV:A/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.9/10
10/10
5.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.securityfocus.com/bid/104195
http://www.securitytracker.com/id/1040912
https://access.redhat.com/errata/RHSA-2018:1453
https://access.redhat.com/errata/RHSA-2018:1454
https://access.redhat.com/errata/RHSA-2018:1455
https://access.redhat.com/errata/RHSA-2018:1456
https://access.redhat.com/errata/RHSA-2018:1457
https://access.redhat.com/errata/RHSA-2018:1458
https://access.redhat.com/errata/RHSA-2018:1459
https://access.redhat.com/errata/RHSA-2018:1460
https://access.redhat.com/errata/RHSA-2018:1461
https://access.redhat.com/errata/RHSA-2018:1524
https://access.redhat.com/security/vulnerabilities/3442151
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1111
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CDCLLCHYFFXW354HMB5QBXOQOY5BH2EJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDJA4QRR74TMXW34Q3DYYFPVBYRTJBI7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMTTB54QNTPD2SK6UL32EVQHMZP6BUUD/
https://www.exploit-db.com/exploits/44652/
https://www.exploit-db.com/exploits/44890/
https://www.tenable.com/security/tns-2018-10

Related CVE
CVE-2018-10850
389-ds-base before versions 1.4.0.10, 1.3.8.3 is vulnerable to a race condition in the way 389-ds-base handles persistent search, resulting in a crash if the server is under load. An anonymous attacker could use this flaw to trigger a denial of servi...
CVE-2018-10196
NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file.
CVE-2018-1089
389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-sl...
CVE-2011-0704
389 Directory Server 1.2.7.5, when built with mozldap, allows remote attackers to cause a denial of service (replica crash) by sending an empty modify request.
CVE-2013-0159
The fedora-business-cards package before 1-0.1.beta1.fc17 on Fedora 17 and before 1-0.1.beta1.fc18 on Fedora 18 allows local users to cause a denial of service or write to arbitrary files via a symlink attack on /tmp/fedora-business-cards-buffer.svg.
CVE-2017-2591
389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated array in the uniqueness_entry_to_config() function in the "attribute uniqueness" plugin of 389 Directory Server. An authenticated, or possibly unauthenticated, attacker c...
CVE-2014-1400
The entity_access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions and read unpublished comments via unspecified vectors.
CVE-2014-1399
The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on referenced entities via unspecified vectors.

Copyright 2018, cxsecurity.com

 

Back to Top