back to article Red Hat admin? Get off Twitter and patch this DHCP client bug

Red Hat has announced a critical vulnerability in its DHCP client and while it doesn't have a brand name it does have a Tweetable proof-of-concept. Discovered by Googler Felix Wilhelm, CVE-2018-1111 is a command injection bug in the Red Hat Enterprise Linux and derivative DHCP clients. Wilhelm Tweeted: “CVE 2018-1111 is a …

  1. Anonymous Coward
    Anonymous Coward

    Is this dependent on Netcat?

    I always wondered why netcat is installed in every 'nix and Android OS if it can be abused.

    1. Maventi

      Re: Is this dependent on Netcat?

      > I always wondered why netcat is installed in every 'nix...

      Except that it isn't; try a minimal RHEL or CentOS 7 install for example.

      What I would like to know however is why NetworkManager counts as necessary for a 'minimal' install.

      1. fandom

        Re: Is this dependent on Netcat?

        "why NetworkManager counts as necessary for a 'minimal' install."

        Because it manages the network

        1. This post has been deleted by its author

        2. HieronymusBloggs

          Re: Is this dependent on Netcat?

          "Because it manages the network"

          ...for those who don't know how to do it using traditional Unix-type facilities.

          1. Gene Cash Silver badge

            Re: Is this dependent on Netcat?

            >> "Because it manages the network"

            > ...for those who don't know how to do it using traditional Unix-type facilities.

            And we wonder why RedHat invented systemd...

            1. Anonymous Coward
              Anonymous Coward

              Re: Is this dependent on Netcat?

              > And we wonder why RedHat invented systemd...

              Not as such. Poettering "invented" it (pinched it off?), RedHat compounded that transgression by inflicting it on everyone, using viral tentacles into Gnome et al.

              Every bit the "embrace and extend and ..." method.

              For all its faults and fragility, NetworkManager at least has the good graces to be avoidable, i.e. you don't need to use it if other methods suit you. For now. And to be fair, NetworkManager does seem to have improved somewhat over time -- I still don't use it anywhere near servers, but I've tried it on a migratory laptop and it's ... OK. Still no tangible benefit for me, but ... OK.

              I could be wrong, but my impression is reported NM bugs do seem to get addressed, seemingly without as much conflict and opposition from the maintainers as happens with systemd's devs ("it's not a bug, you're just doing it wrong").

    2. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Re: Is this dependent on Netcat?

      > I always wondered why netcat is installed in every 'nix and Android OS if it can be abused.

      Better not include gcc, ruby, python, perl, bash, or anything that can be programmed to open a socket then. (I do have a python telnet client script written up for that absurd practice of not including telnet client for the same exact reason).

      netcat is a tool with zero special abilities, the target is the problem. There are 1000's of things that can do the same job as netcat.

  2. herman

    I think one could do the same with any networked utility with an exec function such as ssh. Maybe even find could be made to work.

    1. Anonymous Coward
      Anonymous Coward

      A malicious dhcp *server* on your network can get a remote root shell on the (Red Hat) *client*

      This is because the dhcp client will execute shell stuff sent in a response from the dhcp server.

  3. JakeMS
    Thumb Up

    And...

    Patched!

  4. Christian Berger

    From the people who brought you...

    NetworkManager and Systemd

    1. BeardyOldUnixGit

      Re: From the people who brought you...

      Before you get on your high horse, note that *any* dhcp client which can in some way be convinced to set a shell variable from a DHCP response will be vulnerable to this sort of trick.

      The more good old-fashioned shell scripting you have in your setup, the bigger your attack surface.

  5. Sheepykins

    yum erase NetworkManager

    1. This post has been deleted by its author

  6. SiFly

    chroot

    Why doesn't it at least chroot into a safe(r) environment ...

  7. Alistair

    Umm

    not installing NWM or DHCP client on managed server installations kinda helps here.

  8. jdavis255

    Looks like they patched the vulnerability well before they announced it

    [root@rhel75vm ~]# rpm -q --changelog dhcp-common | head

    * Tue Apr 24 2018 Pavel Zhukov <pzhukov@redhat.com> - 12:4.2.5-68.1

    - Resolves: #1570898 - Fix CVE-2018-1111: Do not parse backslash as escape character

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like