Red-Hat logo on red background

Vulnerability: Red Hat DHCP Client Script Code Execution – CVE-2018-1111

A vulnerability affecting Red Hat DHCP Services was released via Twitter on May 16th. The exploit, tagged as Dynoroot by the research community and cataloged as CVE-2018-1111, allows an attacker to spoof a DHCP response and execute arbitrary commands with root privileges on a vulnerable Red Hat host. The vulnerability was discovered by Felix Wilhelm of Google, who stated the exploit could fit in a Tweet. Approximately six hours later, Barkın Kılıç, a Penetration Tester for Innovera, posted a proof-of-concept of the exploit using Dnsmasq, a lightweight service that can provide DHCP services.

The vulnerable platforms include the following:

  • RHEL 6
  • RHEL 7
  • Red Hat Fedora 28
  • Red Hat Enterprise Virtualization 4.1 (includes vulnerable components)

Proficio Threat Intelligence Recommendations:

  • Patch vulnerable Red Hat Operating Systems ASAP
  • Many IDPS vendors are releasing signatures for this attack (ex: Palo Alto – 40739 – RedHat DHCP Client Script Remote Code Execution Vulnerability). Put these signatures in block mode if possible if no well-known false positives are detected.
  • Make sure monitoring includes visibility of suspicious east / west traffic, especially for DHCP activity to and from RHEL servers.

 

General Info – Click Here

Twitter POC – Click Here

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.