Red Hat DHCP: Gateway to Full Root Access

Red Hat Enterprise Linux (RHEL) is a popular distribution used by many organizations for servers and other network endpoints. Two free versions of the operating system have also branched out of RHEL, Fedora and CentOS. US-CERT issued an alert Wednesday that a critical vulnerability had been discovered in the Network Manager application and how it handles Dynamic Host Configuration Protocol (DHCP) responses. With these responses, this vulnerability could lead to commands being run on the system with full root privileges.
When a device connects to a network and is configured to use DHCP (as most endpoints are), it sends a request out on the network saying that it needs an IP address and other related network information. When the DHCP server receives the request, it assigns an IP address to the requestor and sends a response with the address as well as other network configuration parameters such as DNS servers. This allows automatic, central management of network addresses such that duplication doesn’t occur, which would cause network routing and traffic issues. Google researcher Felix Wilhelm discovered a vulnerability in the Network Manager package included in RHEL and related operating systems. This package runs a script to set the network configuration on the host when a response from a DHCP server is received. However, the script is vulnerable to malicious responses that can cause arbitrary commands to be run on the host with root privileges. For instance, a reverse remote terminal session could be opened, allowing the attacker to run commands on the host at will with full access. A malicious response can be sent by someone spoofing a DHCP server on the local network or if the legitimate DHCP server is already compromised. While this does require the attacker and target to be on the same local network, this could also be done remotely if both are on a public Wi-Fi connection or in combination with another attack that could compromise other machines on the local network.
Patches for this vulnerability have already been released for most systems and users are urged to update immediately. Patches released so far: RHEL version 6 and 7, Fedora versions 26, 27, and 28. Red Hat Virtualization 4.1 is also vulnerable but Network Manager is turned off by default. However, Red Hat Virtualization 4.2 contains the fix. CentOS has also patched the vulnerability in version 7. Additionally, there is a workaround by disabling or removing the vulnerable script, but Red Hat says “…this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers.” Patching is recommended over the workaround.

Sources: 