Lucene search

AmazonALAS2-2018-1021

HistoryMay 24, 2018 - 6:04 p.m.

Critical: dhcp

2018-05-2418:04:00

alas.aws.amazon.com

7.5 High

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

7.9 High

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:M/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.9%

JSON

Issue Overview:

Command injection vulnerability in the DHCP client NetworkManager integration script:
A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. (CVE-2018-1111)

Note: Amazon Linux 2 does not use NetworkManager by default, however it is recommended to install this update.

Affected Packages:

dhcp

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update dhcp to update your system.

New Packages:

src:  
    dhcp-4.2.5-68.amzn2.1.2.src  
  
x86_64:  
    dhcp-4.2.5-68.amzn2.1.2.x86_64  
    dhclient-4.2.5-68.amzn2.1.2.x86_64  
    dhcp-common-4.2.5-68.amzn2.1.2.x86_64  
    dhcp-libs-4.2.5-68.amzn2.1.2.x86_64  
    dhcp-devel-4.2.5-68.amzn2.1.2.x86_64  
    dhcp-debuginfo-4.2.5-68.amzn2.1.2.x86_64

Additional References

Red Hat: CVE-2018-1111

Mitre: CVE-2018-1111

OSVersionArchitecturePackageVersionFilename
Amazon Linux2x86_64dhcp< 4.2.5-68.amzn2.1.2dhcp-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux2x86_64dhclient< 4.2.5-68.amzn2.1.2dhclient-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux2x86_64dhcp-common< 4.2.5-68.amzn2.1.2dhcp-common-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux2x86_64dhcp-libs< 4.2.5-68.amzn2.1.2dhcp-libs-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux2x86_64dhcp-devel< 4.2.5-68.amzn2.1.2dhcp-devel-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux2x86_64dhcp-debuginfo< 4.2.5-68.amzn2.1.2dhcp-debuginfo-4.2.5-68.amzn2.1.2.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	x86_64	dhcp	< 4.2.5-68.amzn2.1.2	dhcp-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux	2	x86_64	dhclient	< 4.2.5-68.amzn2.1.2	dhclient-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux	2	x86_64	dhcp-common	< 4.2.5-68.amzn2.1.2	dhcp-common-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux	2	x86_64	dhcp-libs	< 4.2.5-68.amzn2.1.2	dhcp-libs-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux	2	x86_64	dhcp-devel	< 4.2.5-68.amzn2.1.2	dhcp-devel-4.2.5-68.amzn2.1.2.x86_64.rpm
Amazon Linux	2	x86_64	dhcp-debuginfo	< 4.2.5-68.amzn2.1.2	dhcp-debuginfo-4.2.5-68.amzn2.1.2.x86_64.rpm