Vulnerability CVE-2018-1111


Published: 2018-05-17

Description:
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

See advisories in our WLB2 database:
Topic
Author
Date
High
DynoRoot DHCP Command Injection
Kevin Kirsche
21.05.2018
Med.
DHCP Client Command Injection (DynoRoot)
Felix Wilhelm
13.06.2018

Type:

CWE-77

(Improper Neutralization of Special Elements used in a Command ('Command Injection'))

Vendor: Redhat
Product: Enterprise linux 
Version:
7.5
7.4
7.3
7.2
7.0
6.7
6.6
6.5
6.4
6
Product: Enterprise linux desktop 
Version: 7.0; 6.0;
Product: Enterprise linux server 
Version: 7.0; 6.0;
Product: Enterprise linux workstation 
Version: 7.0; 6.0;
Product: Enterprise virtualization 
Version: 4.2; 4.0;
Product: Enterprise virtualization host 
Version: 4.0;
Vendor: Fedoraproject
Product: Fedora 
Version:
28
27
26

CVSS2 => (AV:A/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.9/10
10/10
5.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.securityfocus.com/bid/104195
http://www.securitytracker.com/id/1040912
https://access.redhat.com/errata/RHSA-2018:1453
https://access.redhat.com/errata/RHSA-2018:1454
https://access.redhat.com/errata/RHSA-2018:1455
https://access.redhat.com/errata/RHSA-2018:1456
https://access.redhat.com/errata/RHSA-2018:1457
https://access.redhat.com/errata/RHSA-2018:1458
https://access.redhat.com/errata/RHSA-2018:1459
https://access.redhat.com/errata/RHSA-2018:1460
https://access.redhat.com/errata/RHSA-2018:1461
https://access.redhat.com/errata/RHSA-2018:1524
https://access.redhat.com/security/vulnerabilities/3442151
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1111
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CDCLLCHYFFXW354HMB5QBXOQOY5BH2EJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDJA4QRR74TMXW34Q3DYYFPVBYRTJBI7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMTTB54QNTPD2SK6UL32EVQHMZP6BUUD/
https://www.exploit-db.com/exploits/44652/
https://www.exploit-db.com/exploits/44890/
https://www.tenable.com/security/tns-2018-10

Related CVE
CVE-2018-14348
libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666 regardless of the configured umask, leading to disclosure of information.
CVE-2017-12173
It was found that sssd's sysdb_search_user_by_upn_res() function before 1.16.0 did not sanitize requests when querying its local cache and was vulnerable to injection. In a centralized login environment, if a password hash was locally cached for a gi...
CVE-2018-10871
389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective ...
CVE-2018-10852
The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available fo...
CVE-2017-2668
389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable to an invalid pointer dereference in the way LDAP bind requests are handled. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bin...
CVE-2018-10850
389-ds-base before versions 1.4.0.10, 1.3.8.3 is vulnerable to a race condition in the way 389-ds-base handles persistent search, resulting in a crash if the server is under load. An anonymous attacker could use this flaw to trigger a denial of servi...
CVE-2018-10196
NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file.
CVE-2018-1089
389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-sl...

Copyright 2018, cxsecurity.com

 

Back to Top