Vulnerability: Red Hat DHCP Client Script Code Execution – CVE-2018-1111

A vulnerability affecting Red Hat DHCP Services was released via Twitter on May 16th. The exploit, tagged as Dynoroot by the research community and cataloged as CVE-2018-1111, allows an attacker to spoof a DHCP response and execute arbitrary commands with root privileges on a vulnerable Red Hat host. The vulnerability was discovered by Felix Wilhelm of Google, who stated the exploit could fit in a Tweet. Approximately six hours later, Barkın Kılıç, a Penetration Tester for Innovera, posted a proof-of-concept of the exploit using Dnsmasq, a lightweight service that can provide DHCP services.

The vulnerable platforms include the following:

• RHEL 6
• RHEL 7
• Red Hat Fedora 28
• Red Hat Enterprise Virtualization 4.1 (includes vulnerable components)

Proficio Threat Intelligence Recommendations:

• Patch vulnerable Red Hat Operating Systems ASAP
• Many IDPS vendors are releasing signatures for this attack (ex: Palo Alto – 40739 – RedHat DHCP Client Script Remote Code Execution Vulnerability). Put these signatures in block mode if possible if no well-known false positives are detected.
• Make sure monitoring includes visibility of suspicious east / west traffic, especially for DHCP activity to and from RHEL servers.

General Info – Click Here

Twitter POC – Click Here