Vulnerability: Red Hat DHCP Client Script Code Execution – CVE-2018-1111

A vulnerability affecting Red Hat DHCP Services was released via Twitter on May 16th. The exploit, tagged as Dynoroot by the research community and cataloged as CVE-2018-1111, allows an attacker to spoof a DHCP response and execute arbitrary commands with root privileges on a vulnerable Red Hat host. The vulnerability was discovered by Felix Wilhelm of Google, who stated the exploit could fit in a Tweet. Approximately six hours later, Barkın Kılıç, a Penetration Tester for Innovera, posted a proof-of-concept of the exploit using Dnsmasq, a lightweight service that can provide DHCP services.

The vulnerable platforms include the following:

  • RHEL 6
  • RHEL 7
  • Red Hat Fedora 28
  • Red Hat Enterprise Virtualization 4.1 (includes vulnerable components)

Proficio Threat Intelligence Recommendations:

  • Patch vulnerable Red Hat Operating Systems ASAP
  • Many IDPS vendors are releasing signatures for this attack (ex: Palo Alto – 40739 – RedHat DHCP Client Script Remote Code Execution Vulnerability). Put these signatures in block mode if possible if no well-known false positives are detected.
  • Make sure monitoring includes visibility of suspicious east / west traffic, especially for DHCP activity to and from RHEL servers.


General Info – Click Here

Twitter POC – Click Here

Recent Blog Posts

Stay Ahead of Evolving Threats

Sign up for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.


Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.