A vulnerability affecting Red Hat DHCP Services was released via Twitter on May 16th. The exploit, tagged as Dynoroot by the research community and cataloged as CVE-2018-1111, allows an attacker to spoof a DHCP response and execute arbitrary commands with root privileges on a vulnerable Red Hat host. The vulnerability was discovered by Felix Wilhelm of Google, who stated the exploit could fit in a Tweet. Approximately six hours later, Barkın Kılıç, a Penetration Tester for Innovera, posted a proof-of-concept of the exploit using Dnsmasq, a lightweight service that can provide DHCP services.
The vulnerable platforms include the following:
- RHEL 6
- RHEL 7
- Red Hat Fedora 28
- Red Hat Enterprise Virtualization 4.1 (includes vulnerable components)
Proficio Threat Intelligence Recommendations:
- Patch vulnerable Red Hat Operating Systems ASAP
- Many IDPS vendors are releasing signatures for this attack (ex: Palo Alto – 40739 – RedHat DHCP Client Script Remote Code Execution Vulnerability). Put these signatures in block mode if possible if no well-known false positives are detected.
- Make sure monitoring includes visibility of suspicious east / west traffic, especially for DHCP activity to and from RHEL servers.
General Info – Click Here
Twitter POC – Click Here