Bugzilla – Bug 1093364
VUL-0: CVE-2018-1111: dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
Last modified: 2018-05-15 13:47:03 UTC
A command injection vulnerability was found in 11-dhclient script provided by dhcp-client located in /etc/NetworkManager/dispatcher.d/11-dhclient. Attacker in local network who is able to spoof DHCP responses or malicious DHCP server can execute arbitrary commands run with root privileges on client system by exploiting this vulnerability.
The script seems to be shipped only by Red Hat (see http://vault.centos.org/7.4.1708/updates/Source/SPackages/dhcp-4.2.5-58.el7.centos.3.src.rpm), so we are not affected by this.