Security Bulletin: A vulnerability in DHCP affects PowerKVM

2018-07-0623:55:57

www.ibm.com

7.5 High

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.9 High

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:M/Au:N/C:C/I:C/A:C

JSON

Summary

PowerKVM is affected by a vulnerability in the DHCP client. IBM has now addressed this vulnerability.

Vulnerability Details

CVEID: CVE-2018-1111 DESCRIPTION: The DHCP client packages in Red Hat Enterprise Linux could allow a remote attacker on the local network to execute arbitrary commands on the system, caused by a command injection flaw in the NetworkManager integration script. By spoofing DHCP responses, an attacker could exploit this vulnerability using the DHCP protocol to inject and execute arbitrary commands on the system with root privileges.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/143382 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using “yum update”.

Fix images are made available via Fix Central. For version 3.1, see <https://ibm.biz/BdHggw>. This issue is addressed starting with v3.1.0.2 update 14.