Red Hat has patched a vulnerability affecting the DHCP client packages that shipped with Red Hat Enterprise Linux 6 and 7. A successful exploit could give an attacker root access and full control over enterprise endpoints.
According to an alert issued Wednesday from US-CERT, the critical-rated flaw, first reported by Google researcher Felix Wilhelm, would “allow attackers to use malicious DHCP server responses to execute arbitrary commands on target systems over the local network,” if those systems use NetworkManager and are configured to obtain dynamic IP addresses.
An attack would take advantage of the way the DHCP protocol is used to dynamically assign IP addresses to computers; i.e., the fact that the endpoint clients essentially broadcast out a query over the local network to obtain an address from a DHCP server.
“When a computer connects to a network, it basically says, hey, I need to know my IP address, and it gets an answer from DHCP,” explained Andrew Ayer, a Linux expert and founder of an SSL certificate management service known as SSLMate, in an interview. “That answer could contain a malicious reply from the server, so that the system gets back not just an IP address, but also a malicious payload. The vulnerability that was patched would allow that payload to execute, so that an attacker could actually be able run commands off the server to that [targeted] system.”
He added, “They get root access, so they have total control of the system, and that’s just game over.”
Christopher Robinson, manager at the Red Hat Product Security Assurance Team told Threatpost, “A possible scenario would be open a reverse remote terminal, allowing attacker to have almost complete control over the target machine.”
He added, “At a minimum, a denial of service would be practical, but through other measures, full remote control over the system could be obtained based on the attacker’s knowledge of the system and ability to create rogue processes/services, or tamper with data files.”
A Google source, who asked not to be named, also told us that the vulnerability could allow lateral escalation (e.g., a compromised web server could propagate to the MySQL server if they are both on the same network).
An attacker may be able to compromise the legitimate DHCP server itself in order to be able to send out the payload in the first place, Ayer added; or, he or she could set up a fake node on the network to masquerade as a legitimate DHCP server, sending out malicious, spoofed responses to normal network addressing queries. In both cases, the bad actor would need to be attached to the same local-area network as the targeted systems in order to exploit the flaw.
“So this is remotely exploitable, with a caveat,” Ayer said. “If someone has Red Hat on their laptop and they take that to a coffee shop, an attacker would be able to attack the laptop over the Wi-Fi network. But someone couldn’t make use of this from across the internet – unless they had gained remote access to a local DHCP server through a separate vulnerability.”
Of course, not many consumers run Linux on their personal machines. Enterprise users however should beware, especially given how mobile of a workforce we are today. As the Google source explained, a computer running a RedHat-based OS, including distros like CentOS, Fedora or RHEL, could be hacked by connecting to Wi-Fi on an airplane or at a hotel or other public space, or if it’s hooked up to a compromised network in a corporate environment.
Ayer added that the situation is a reminder for Linux teams and developers of the “frailty” of shell scripts. Shell, a commonly used programming language on Linux systems, is simply prone to allowing these kinds of flaws to be coded, he said.
“It’s very easy to make a mistake in shell that can lead to this kind of vulnerability; we see vulnerabilities like this from time to time,” he said. “Developers should keep that in mind and reduce their reliance on shell. I would have to recommend moving to more robust programming languages.”
The patches for the client packages for Red Hat Enterprise Linux 6 and 7 can be accessed here. The Fedora and CentOS projects will need to release their own updates. Also, Red Hat said that the Enterprise Virtualization 4.1 package includes the vulnerable components, but the default configuration is not impacted because NetworkManager is turned off in the Management Appliance, and not used in conjunction with DHCP in the hypervisor. Nonetheless, Red Hat Enterprise Virtualization 4.2 includes the fixes.